36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
Size

449KB
MD5

4bf4763daa0f973efe63c801aa005f80
SHA1

00a705118626a6c3d989fd690a1f59e556878f2e
SHA256

36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
SHA512

dad551f9e958bcad30293f5eeba8c42e30256e9288c9dfdff9241629696f7565dc8b060d7c80f49df36ac48f2561ac468e736b6c064cbd82cf1c71db7c431adb
SSDEEP

6144:2hCtOc+rdxDtB/TCyrJs5z2saX/fQQ8TdUiQjkwJMtMFtYRtk+Ob5MXAqDpjF2qL:2hECzv7x+5HCfQBd3Qj7M6FdRanj/L

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3260	CmEsggkE.exe
3656	GEogAYUQ.exe
2624	vyMsUIMs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	GEogAYUQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CmEsggkE.exe = "C:\\Users\\Admin\\moEIAMAg\\CmEsggkE.exe"	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GEogAYUQ.exe = "C:\\ProgramData\\WIcAUgYI\\GEogAYUQ.exe"	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CmEsggkE.exe = "C:\\Users\\Admin\\moEIAMAg\\CmEsggkE.exe"	CmEsggkE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GEogAYUQ.exe = "C:\\ProgramData\\WIcAUgYI\\GEogAYUQ.exe"	GEogAYUQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GEogAYUQ.exe = "C:\\ProgramData\\WIcAUgYI\\GEogAYUQ.exe"	vyMsUIMs.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	GEogAYUQ.exe
File opened for modification	C:\Windows\SysWOW64\sheImportResume.pptm	GEogAYUQ.exe
File opened for modification	C:\Windows\SysWOW64\sheSkipInstall.docx	GEogAYUQ.exe
File opened for modification	C:\Windows\SysWOW64\sheSubmitReset.jpeg	GEogAYUQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\moEIAMAg	vyMsUIMs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\moEIAMAg\CmEsggkE	vyMsUIMs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4784	reg.exe
2636	reg.exe
4860	reg.exe
4316	reg.exe
732	reg.exe
1056	reg.exe
2884	reg.exe
4500	reg.exe
948	reg.exe
1352	reg.exe
4444	reg.exe
1868	reg.exe
1492	reg.exe
4416	reg.exe
4328	reg.exe
5044	reg.exe
4112	reg.exe
3680	reg.exe
4772	reg.exe
4772	reg.exe
1304	reg.exe
1736	reg.exe
3788	reg.exe
4432	reg.exe
1736	reg.exe
5072	reg.exe
4860	reg.exe
4020	reg.exe
4332	reg.exe
2636	reg.exe
1328	reg.exe
3252	reg.exe
4904	reg.exe
840	reg.exe
3156	reg.exe
4440	reg.exe
4200	reg.exe
1960	reg.exe
2124	reg.exe
5064	reg.exe
4200	reg.exe
400	reg.exe
380	reg.exe
2632	reg.exe
4020	reg.exe
4852	reg.exe
1480	reg.exe
444	reg.exe
4288	reg.exe
1492	reg.exe
4192	reg.exe
1960	reg.exe
3136	reg.exe
3004	reg.exe
4328	reg.exe
2004	reg.exe
736	reg.exe
4872	reg.exe
2844	reg.exe
4632	reg.exe
2220	reg.exe
4052	reg.exe
4692	reg.exe
2436	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3792	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3792	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3792	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3792	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4404	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4404	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4404	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4404	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
2320	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
2320	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
2320	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
2320	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
484	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
484	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
484	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
484	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
5000	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
5000	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
5000	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
5000	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3508	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3508	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3508	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3508	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3412	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3412	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3412	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
3412	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4208	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4208	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4208	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4208	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1640	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1640	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1640	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1640	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4700	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4700	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4700	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4700	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4832	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4832	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4832	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
4832	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1512	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1512	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1512	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
1512	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3656	GEogAYUQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe
3656	GEogAYUQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3260	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	84
PID 2260 wrote to memory of 3260	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	84
PID 2260 wrote to memory of 3260	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	84
PID 2260 wrote to memory of 3656	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	85
PID 2260 wrote to memory of 3656	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	85
PID 2260 wrote to memory of 3656	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	85
PID 2260 wrote to memory of 3772	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	87
PID 2260 wrote to memory of 3772	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	87
PID 2260 wrote to memory of 3772	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	87
PID 2260 wrote to memory of 4432	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	89
PID 2260 wrote to memory of 4432	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	89
PID 2260 wrote to memory of 4432	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	89
PID 2260 wrote to memory of 732	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	95
PID 2260 wrote to memory of 732	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	95
PID 2260 wrote to memory of 732	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	95
PID 3772 wrote to memory of 3084	3772	cmd.exe	91
PID 3772 wrote to memory of 3084	3772	cmd.exe	91
PID 3772 wrote to memory of 3084	3772	cmd.exe	91
PID 2260 wrote to memory of 540	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	92
PID 2260 wrote to memory of 540	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	92
PID 2260 wrote to memory of 540	2260	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	92
PID 3084 wrote to memory of 1352	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	96
PID 3084 wrote to memory of 1352	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	96
PID 3084 wrote to memory of 1352	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	96
PID 1352 wrote to memory of 3684	1352	cmd.exe	98
PID 1352 wrote to memory of 3684	1352	cmd.exe	98
PID 1352 wrote to memory of 3684	1352	cmd.exe	98
PID 3084 wrote to memory of 1296	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	99
PID 3084 wrote to memory of 1296	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	99
PID 3084 wrote to memory of 1296	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	99
PID 3084 wrote to memory of 1492	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	100
PID 3084 wrote to memory of 1492	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	100
PID 3084 wrote to memory of 1492	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	100
PID 3084 wrote to memory of 1868	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	105
PID 3084 wrote to memory of 1868	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	105
PID 3084 wrote to memory of 1868	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	105
PID 3084 wrote to memory of 4644	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	103
PID 3084 wrote to memory of 4644	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	103
PID 3084 wrote to memory of 4644	3084	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	103
PID 4644 wrote to memory of 1328	4644	cmd.exe	107
PID 4644 wrote to memory of 1328	4644	cmd.exe	107
PID 4644 wrote to memory of 1328	4644	cmd.exe	107
PID 3684 wrote to memory of 4964	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	108
PID 3684 wrote to memory of 4964	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	108
PID 3684 wrote to memory of 4964	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	108
PID 4964 wrote to memory of 1148	4964	cmd.exe	111
PID 3684 wrote to memory of 924	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	110
PID 4964 wrote to memory of 1148	4964	cmd.exe	111
PID 4964 wrote to memory of 1148	4964	cmd.exe	111
PID 3684 wrote to memory of 924	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	110
PID 3684 wrote to memory of 924	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	110
PID 3684 wrote to memory of 2984	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	112
PID 3684 wrote to memory of 2984	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	112
PID 3684 wrote to memory of 2984	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	112
PID 3684 wrote to memory of 4656	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	113
PID 3684 wrote to memory of 4656	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	113
PID 3684 wrote to memory of 4656	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	113
PID 3684 wrote to memory of 3716	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	116
PID 3684 wrote to memory of 3716	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	116
PID 3684 wrote to memory of 3716	3684	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	116
PID 1148 wrote to memory of 4300	1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	119
PID 1148 wrote to memory of 4300	1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	119
PID 1148 wrote to memory of 4300	1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	119
PID 1148 wrote to memory of 4632	1148	36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe	121

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
"C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\moEIAMAg\CmEsggkE.exe
  "C:\Users\Admin\moEIAMAg\CmEsggkE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3260
- C:\ProgramData\WIcAUgYI\GEogAYUQ.exe
  "C:\ProgramData\WIcAUgYI\GEogAYUQ.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
    C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        8⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        10⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        12⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        14⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        16⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        18⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        20⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        22⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        24⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        26⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        28⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        30⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        32⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        33⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        34⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        35⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        36⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        37⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        38⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        39⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        40⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        41⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        42⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        43⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        44⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        45⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        46⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        47⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        48⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        49⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        50⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        51⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        52⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        53⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        54⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        55⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        56⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        57⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        58⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        59⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        60⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        61⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        62⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        63⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        64⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        65⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        66⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        67⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        68⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        69⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        70⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        71⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        72⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        73⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        74⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        75⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        76⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        77⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        78⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        79⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        80⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        81⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        82⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        83⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        84⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        85⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        86⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        87⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        88⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        89⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        90⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        91⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        92⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        93⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        94⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        95⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        96⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        97⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        98⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        99⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        100⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        101⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        102⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        103⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        104⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        105⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        106⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        107⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        108⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        109⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        110⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        111⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        113⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        114⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        115⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        116⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        117⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        118⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        119⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        120⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        121⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        122⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        123⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        124⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        125⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        126⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        127⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        128⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        129⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        130⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        131⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        132⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        133⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        134⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        135⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        136⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        137⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        138⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        139⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        140⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        141⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc"
        142⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe
        
        C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc
        143⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwQIscUU.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        142⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSswgEoM.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        140⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyMMIkUk.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        138⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwkAEEEE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        136⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyEQsMcI.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        134⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaAIkEoM.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        132⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMQUwMok.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        130⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TooAIYYo.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        128⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQAAAwgA.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        126⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSkIIAgw.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        124⤵
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsQowgks.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        122⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsYIQQkU.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UoscsEIA.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        118⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSIkMoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        116⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIgMAAAw.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        114⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYMMIoUE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        112⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RokokscE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        110⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIAEMsgU.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        108⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSkMssMY.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        106⤵
        
        PID:3836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOcwAwsE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        104⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsIEIsoI.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        102⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAcQMwYw.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        100⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWwYAckA.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        98⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuEcEcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        96⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMEYkEIE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        94⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsAwEcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        92⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAowkoYY.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        90⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCcQwwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        88⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKAYAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        86⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cygsUcYc.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        84⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuAwocwA.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        82⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYEQEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        80⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQEgYwgk.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        78⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOMUswYs.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        76⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmIwkogM.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        74⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEsgggQY.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        72⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eckMggsQ.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        70⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUcAAIks.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        68⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScsAwYQU.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        66⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgEMoccs.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        64⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaEwIEYA.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        62⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUowYYgo.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        60⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEoggwwo.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        58⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMAYYUwc.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        56⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekAksUcg.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        54⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hswwQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        52⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCUgUsMs.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        50⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buAsUYcE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        48⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAYccUAI.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        46⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeAgEkEM.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        44⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMgAIkck.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        42⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECAcoUIk.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        40⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beUIkoUc.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        38⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSwQgQwo.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        36⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuAIUIEg.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        34⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owYwQksE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        32⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIoIMEoE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        30⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWIcccIs.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        28⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWkAwssM.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        26⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYYQgIAU.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        24⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUsIQUUY.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        22⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgQIEkII.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        20⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naAkIswg.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        18⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYAgsswg.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        16⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uogMgcws.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        14⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQoAwMAA.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        12⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQEoIYoE.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWEYkgYY.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        8⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1792
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:924
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2984
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyAQkcIs.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
        6⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAsYcoUY.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1868
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4432
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkgooQks.bat" "C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc.exe""
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3708

C:\ProgramData\nyIMMQUk\vyMsUIMs.exe
C:\ProgramData\nyIMMQUk\vyMsUIMs.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WIcAUgYI\GEogAYUQ.exe

Filesize
428KB

MD5
d6159b80eb1225d6e8da78a12e6c1fc4

SHA1
17ad9b684cf932eafc23b197204ef9f33701bb94

SHA256
58101e9efcf8fea2f85a62c415f08ae32f600f9b64e54f68100f666c707e0df1

SHA512
6ddde36bc0f4b9d4ff21d6155caeeba6d47643e53e0ec77500d4822a88be5314fc60ef4a139c4bab82ac1b8a32806c7084e2498ffe4a6a2edf9c3d8a9c689a73

Download Submit
C:\ProgramData\WIcAUgYI\GEogAYUQ.exe

Filesize
428KB

MD5
d6159b80eb1225d6e8da78a12e6c1fc4

SHA1
17ad9b684cf932eafc23b197204ef9f33701bb94

SHA256
58101e9efcf8fea2f85a62c415f08ae32f600f9b64e54f68100f666c707e0df1

SHA512
6ddde36bc0f4b9d4ff21d6155caeeba6d47643e53e0ec77500d4822a88be5314fc60ef4a139c4bab82ac1b8a32806c7084e2498ffe4a6a2edf9c3d8a9c689a73

Download Submit
C:\ProgramData\nyIMMQUk\vyMsUIMs.exe

Filesize
431KB

MD5
2b1a718c400c88b4386859ca2934030e

SHA1
d8b4f8f17e1fd2bb262eb7919976e9a7dadfd779

SHA256
1b3475ae75ab6e9980133095b802bbeeb72c6d904fe82157646884ffcefcc5ee

SHA512
60f4698db71854e79187ae514b5683ebc70e4875564905942d53f2d485418b813ccd9ba7920f4b6ea9ef83aafe8ec7dfe088fad0cfc5f981a279f07489dc5295

Download Submit
C:\ProgramData\nyIMMQUk\vyMsUIMs.exe

Filesize
431KB

MD5
2b1a718c400c88b4386859ca2934030e

SHA1
d8b4f8f17e1fd2bb262eb7919976e9a7dadfd779

SHA256
1b3475ae75ab6e9980133095b802bbeeb72c6d904fe82157646884ffcefcc5ee

SHA512
60f4698db71854e79187ae514b5683ebc70e4875564905942d53f2d485418b813ccd9ba7920f4b6ea9ef83aafe8ec7dfe088fad0cfc5f981a279f07489dc5295

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36d93b35a133e19b55d06d1e706d97535817a22658454e56183b0d0a8af0f4bc

Filesize
6KB

MD5
7853d07ec1ec8d612c25e3a7733a2142

SHA1
88438849bc048dbd0a9875508082630c3ba0d924

SHA256
38d399a8fac9a3326370dcdfaad5c0de203883557f82d8373f0ce4ef7137a859

SHA512
df288e8a8aaa30f8d26f90901ece904c22543f1ee25d31b6d1485c8a0e3121ba3cd7c16edb91c019e85d50ac627151585fcde3b6abbca3980dbfe8c72159779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWkAwssM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIoIMEoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMgAIkck.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECAcoUIk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYYQgIAU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EyAQkcIs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsYcoUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuAIUIEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYAgsswg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQoAwMAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\beUIkoUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kWIcccIs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\naAkIswg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\owYwQksE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSwQgQwo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgQIEkII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUsIQUUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWEYkgYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uogMgcws.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQEoIYoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\moEIAMAg\CmEsggkE.exe

Filesize
436KB

MD5
38bf3a0e9f8d2846e148907f4112b903

SHA1
1ac0408a1a58d44e79bbb7b5ad84307524e1abf2

SHA256
7b8021689493a067e5c5d8b1ff196d39a66b836f080bc60b0bb924f21f433527

SHA512
21790476918386d26c970512b579543d38c0ce9c0ee20e93eec8db1de0ed536fa58e222decb322dc031076bb92fe6e5e73bfad1cf78a1f7ecfb18d5c0ede013e

Download Submit
C:\Users\Admin\moEIAMAg\CmEsggkE.exe

Filesize
436KB

MD5
38bf3a0e9f8d2846e148907f4112b903

SHA1
1ac0408a1a58d44e79bbb7b5ad84307524e1abf2

SHA256
7b8021689493a067e5c5d8b1ff196d39a66b836f080bc60b0bb924f21f433527

SHA512
21790476918386d26c970512b579543d38c0ce9c0ee20e93eec8db1de0ed536fa58e222decb322dc031076bb92fe6e5e73bfad1cf78a1f7ecfb18d5c0ede013e

Download Submit
memory/404-298-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/448-277-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/448-275-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/484-221-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/484-220-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/572-319-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/972-320-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1148-168-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1148-176-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1512-272-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1532-308-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1532-307-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1576-305-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1640-256-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1640-252-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1828-304-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1828-302-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1876-312-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2260-303-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2260-260-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2260-132-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2320-213-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2332-311-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2332-310-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2348-323-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2348-322-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2432-321-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2508-317-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2508-318-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2624-148-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2984-281-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3084-158-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3084-149-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3144-316-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3144-309-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3216-300-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3216-299-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3260-265-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3260-146-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3412-245-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3412-247-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3508-242-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3564-296-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3656-147-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3656-266-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3684-167-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3724-301-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3792-190-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3792-187-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4080-289-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4156-313-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4156-314-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4208-306-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4208-251-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4404-201-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4660-297-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4700-258-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4832-268-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4832-264-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4868-285-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5000-235-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5008-294-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5008-293-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5044-315-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download