738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Size

492KB
MD5

0d5db5606344289905ffde8fc2d42a10
SHA1

9b1a29083cfa6c41d493246daa84d8c9bcd0c159
SHA256

738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
SHA512

197dbd9805d93d1d62903fa11615a288cb226a0b0f2ddfd0bbe543e7c572aeb9d9203b4b6a81cd756bd4ff280961ac8c0e5a65a7be49eaf3341bf6b8de9e2f9c
SSDEEP

12288:vg9QKS/9gFM+tvYr5hdI6iypAy8DkxRY10:o99S+FM+Y5Jp0ACO

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\docUQAcE\\zOAgQUYY.exe,"	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\docUQAcE\\zOAgQUYY.exe,"	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3132	SWAwIIcQ.exe
3460	zOAgQUYY.exe
4892	jCcssgcE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SWAwIIcQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWAwIIcQ.exe = "C:\\Users\\Admin\\amgccgoE\\SWAwIIcQ.exe"	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zOAgQUYY.exe = "C:\\ProgramData\\docUQAcE\\zOAgQUYY.exe"	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWAwIIcQ.exe = "C:\\Users\\Admin\\amgccgoE\\SWAwIIcQ.exe"	SWAwIIcQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zOAgQUYY.exe = "C:\\ProgramData\\docUQAcE\\zOAgQUYY.exe"	zOAgQUYY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zOAgQUYY.exe = "C:\\ProgramData\\docUQAcE\\zOAgQUYY.exe"	jCcssgcE.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\amgccgoE	jCcssgcE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\amgccgoE\SWAwIIcQ	jCcssgcE.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	SWAwIIcQ.exe
File opened for modification	C:\Windows\SysWOW64\sheReceiveStart.docx	SWAwIIcQ.exe
File opened for modification	C:\Windows\SysWOW64\sheResumeWatch.pptm	SWAwIIcQ.exe
File opened for modification	C:\Windows\SysWOW64\sheUndoClear.gif	SWAwIIcQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4804	reg.exe
4216	reg.exe
1856	reg.exe
2732	reg.exe
3020	reg.exe
4568	reg.exe
1180	reg.exe
2156	reg.exe
2972	reg.exe
1816	reg.exe
5004	reg.exe
1112	reg.exe
1072	reg.exe
2468	reg.exe
3184	reg.exe
5024	reg.exe
464	reg.exe
2144	reg.exe
5108	reg.exe
1768	reg.exe
1820	reg.exe
3392	reg.exe
1440	reg.exe
112	reg.exe
2360	reg.exe
3652	reg.exe
2320	reg.exe
3256	reg.exe
1216	reg.exe
4948	reg.exe
3296	reg.exe
884	reg.exe
800	reg.exe
1984	reg.exe
4316	reg.exe
4948	reg.exe
4236	reg.exe
3892	reg.exe
3520	reg.exe
3396	reg.exe
3444	reg.exe
4556	reg.exe
1832	reg.exe
3548	reg.exe
4804	reg.exe
1364	reg.exe
2408	reg.exe
756	reg.exe
3300	reg.exe
2696	reg.exe
3652	reg.exe
4496	reg.exe
4080	reg.exe
4760	reg.exe
2304	reg.exe
4664	reg.exe
4904	reg.exe
912	reg.exe
2304	reg.exe
1276	reg.exe
728	reg.exe
1784	reg.exe
2604	reg.exe
4508	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3880	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3880	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3880	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3880	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5088	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5088	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5088	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5088	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5064	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5064	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5064	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5064	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2604	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2604	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2604	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2604	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4696	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4696	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4696	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4696	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5048	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5048	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5048	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
5048	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4688	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4688	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4688	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4688	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2060	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2060	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2060	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
2060	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4516	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4516	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4516	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4516	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4076	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4076	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4076	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
4076	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3932	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3932	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3932	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3932	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3556	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3556	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3556	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
3556	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3132	SWAwIIcQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe
3132	SWAwIIcQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3132	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	83
PID 4904 wrote to memory of 3132	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	83
PID 4904 wrote to memory of 3132	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	83
PID 4904 wrote to memory of 3460	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	84
PID 4904 wrote to memory of 3460	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	84
PID 4904 wrote to memory of 3460	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	84
PID 4904 wrote to memory of 3444	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	86
PID 4904 wrote to memory of 3444	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	86
PID 4904 wrote to memory of 3444	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	86
PID 3444 wrote to memory of 8	3444	cmd.exe	88
PID 3444 wrote to memory of 8	3444	cmd.exe	88
PID 3444 wrote to memory of 8	3444	cmd.exe	88
PID 4904 wrote to memory of 3716	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	89
PID 4904 wrote to memory of 3716	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	89
PID 4904 wrote to memory of 3716	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	89
PID 4904 wrote to memory of 3396	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	94
PID 4904 wrote to memory of 3396	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	94
PID 4904 wrote to memory of 3396	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	94
PID 4904 wrote to memory of 4164	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	91
PID 4904 wrote to memory of 4164	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	91
PID 4904 wrote to memory of 4164	4904	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	91
PID 8 wrote to memory of 884	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	95
PID 8 wrote to memory of 884	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	95
PID 8 wrote to memory of 884	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	95
PID 884 wrote to memory of 5084	884	cmd.exe	97
PID 884 wrote to memory of 5084	884	cmd.exe	97
PID 884 wrote to memory of 5084	884	cmd.exe	97
PID 8 wrote to memory of 4236	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	101
PID 8 wrote to memory of 4236	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	101
PID 8 wrote to memory of 4236	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	101
PID 8 wrote to memory of 2156	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	100
PID 8 wrote to memory of 2156	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	100
PID 8 wrote to memory of 2156	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	100
PID 8 wrote to memory of 3300	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	99
PID 8 wrote to memory of 3300	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	99
PID 8 wrote to memory of 3300	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	99
PID 8 wrote to memory of 3388	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	104
PID 8 wrote to memory of 3388	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	104
PID 8 wrote to memory of 3388	8	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	104
PID 5084 wrote to memory of 3788	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	106
PID 5084 wrote to memory of 3788	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	106
PID 5084 wrote to memory of 3788	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	106
PID 3388 wrote to memory of 1324	3388	cmd.exe	109
PID 3388 wrote to memory of 1324	3388	cmd.exe	109
PID 3388 wrote to memory of 1324	3388	cmd.exe	109
PID 3788 wrote to memory of 3244	3788	cmd.exe	108
PID 3788 wrote to memory of 3244	3788	cmd.exe	108
PID 3788 wrote to memory of 3244	3788	cmd.exe	108
PID 5084 wrote to memory of 3556	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	110
PID 5084 wrote to memory of 3556	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	110
PID 5084 wrote to memory of 3556	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	110
PID 5084 wrote to memory of 3588	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	111
PID 5084 wrote to memory of 3588	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	111
PID 5084 wrote to memory of 3588	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	111
PID 5084 wrote to memory of 4696	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	113
PID 5084 wrote to memory of 4696	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	113
PID 5084 wrote to memory of 4696	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	113
PID 5084 wrote to memory of 4584	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	115
PID 5084 wrote to memory of 4584	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	115
PID 5084 wrote to memory of 4584	5084	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	115
PID 3244 wrote to memory of 3828	3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	117
PID 3244 wrote to memory of 3828	3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	117
PID 3244 wrote to memory of 3828	3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	117
PID 3244 wrote to memory of 3428	3244	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe	120

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
"C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\amgccgoE\SWAwIIcQ.exe
  "C:\Users\Admin\amgccgoE\SWAwIIcQ.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3132
- C:\ProgramData\docUQAcE\zOAgQUYY.exe
  "C:\ProgramData\docUQAcE\zOAgQUYY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
    C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        8⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        10⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        12⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        14⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        16⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        18⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        20⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        22⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        24⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        26⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        28⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        30⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        32⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        33⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        34⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        35⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        36⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        37⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        38⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        39⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        40⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        41⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        42⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        43⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        44⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        45⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        46⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        47⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        48⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        49⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        50⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        51⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        52⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        53⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        54⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        55⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        56⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        57⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        58⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        59⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        60⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        61⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        62⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        63⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        64⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        65⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        66⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        67⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        68⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        69⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        70⤵
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        71⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        72⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        73⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        74⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        75⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        76⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        77⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        78⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        79⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        80⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        81⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        82⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        83⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        84⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        85⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        86⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        87⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        88⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        89⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        90⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        91⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        92⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        93⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        94⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        95⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        96⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        97⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        98⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        99⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        100⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        101⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        102⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        103⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        104⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        105⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        106⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        107⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        108⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        109⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        110⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        111⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        112⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        113⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        114⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        115⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        116⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        117⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        118⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        119⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        120⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        121⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        122⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        123⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        124⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        125⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        126⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        127⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        128⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        129⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        130⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        131⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        132⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        133⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        134⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        135⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        136⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        137⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        138⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        139⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        140⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        141⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        142⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        143⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        144⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        145⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        146⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        147⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        148⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        149⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        150⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        151⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        152⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        153⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        154⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        155⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        156⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        157⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        158⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        159⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        160⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        161⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d"
        162⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d
        163⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqIUUQwM.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        162⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmIsQsEw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        160⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYYgAYEc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        158⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKAcskwo.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        156⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkEwMcEE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        154⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOMskEIc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        152⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmQIIYIU.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        150⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOkUYQEw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        148⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYAUgIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        146⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAcUYMok.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        144⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKgAQcoE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        142⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cokwMMYc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        140⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUkAwAkM.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        138⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgMgEEkw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        136⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LegUkkYU.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        134⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsYIQUcI.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        132⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqUcIUAw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        130⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMYgwkAc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        128⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkUAAokg.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        126⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuQQIMsY.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        124⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAokkgMM.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        122⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUQwQwMc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        120⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biEoYAkg.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        118⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuYQgkME.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        116⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIoIUgUE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        114⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boUQUUIc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        112⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biEcggsE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        110⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKQMMcMk.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        108⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgUQkMYk.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        106⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmEkYMgU.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        104⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkoMkccg.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        102⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAIkAUow.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        100⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKskMEIo.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        98⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeIgEcsc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        96⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaIkcggc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        94⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soIsAEEc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        92⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUIAgMcY.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        90⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcEoEQEk.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        88⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcAcoEAM.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        86⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAIEAYQA.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        84⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkQQYgwI.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        82⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsokUwQw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        80⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAQoYkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        78⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWIgQosg.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        76⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KysUgMwI.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        74⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcoMcMEw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        72⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        UAC bypass
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiQkMUEI.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        70⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkoIUIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        68⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWQkYcco.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        66⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iggkEswY.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        64⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmsMUIAY.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        62⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKgkkkYc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        60⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAsoIYsE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        58⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGoEIYgg.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        56⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUcAkEss.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        54⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCoMYYYk.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        52⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dugsYYwE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        50⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKAIcMUw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        48⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeYYkMQI.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        46⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUIsgsUA.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        44⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOMkckYc.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        42⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCUAsMEs.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        40⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKYEAYMY.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        38⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMowsssA.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        36⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hecMIgEo.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        34⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsUscQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        32⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQYwEcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        30⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIMMoAYI.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        28⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMUIUcQs.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        26⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYUcsgME.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        24⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEggggos.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        22⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcQMcwkE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        20⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUYoMEYg.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        18⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUUgAksw.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        16⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQQQsgUM.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        14⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmwsEkco.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        12⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMEAocIU.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        10⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKIYUcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        8⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        UAC bypass
        
        PID:4948
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3556
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3588
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGUsowco.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
        6⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgsMwQEo.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3716
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYMEooEE.bat" "C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d.exe""
  2⤵
  PID:884
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3020

C:\ProgramData\rocYoUIY\jCcssgcE.exe
C:\ProgramData\rocYoUIY\jCcssgcE.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\docUQAcE\zOAgQUYY.exe

Filesize
478KB

MD5
906ef0584e4ee2119ad27df078603e0f

SHA1
9d34782c4ea51ee993c23cb28d736cb7415a9106

SHA256
b511ff10c2bfed943f50833b506dcc528c2d3390d3b85505357f867523365919

SHA512
c407fb69d3c58b92e8df7ed4d32cef738d7d19ffba38085f61966021cf2a991e4c9e70542674dab4135a52bd1736cbf54656ed2a75a04b7b9c7d0f01310223c9

Download Submit
C:\ProgramData\docUQAcE\zOAgQUYY.exe

Filesize
478KB

MD5
906ef0584e4ee2119ad27df078603e0f

SHA1
9d34782c4ea51ee993c23cb28d736cb7415a9106

SHA256
b511ff10c2bfed943f50833b506dcc528c2d3390d3b85505357f867523365919

SHA512
c407fb69d3c58b92e8df7ed4d32cef738d7d19ffba38085f61966021cf2a991e4c9e70542674dab4135a52bd1736cbf54656ed2a75a04b7b9c7d0f01310223c9

Download Submit
C:\ProgramData\rocYoUIY\jCcssgcE.exe

Filesize
483KB

MD5
109853bb8b8f3194cd59e8f773956473

SHA1
1b9bf288fd38ebd262bf077733823c28187b4678

SHA256
522c5dbd4ef04898aac54aad066b20d749adf22820f347f0047c1f27f792cc08

SHA512
56b30736400c3715561e7c9b0c93f4698bcfa6d6e9062ae794089161acab7e63f6ad34228b700c9864c57406ecde5ee6614fdf0ecff7e81d1c8f36d1042c6351

Download Submit
C:\ProgramData\rocYoUIY\jCcssgcE.exe

Filesize
483KB

MD5
109853bb8b8f3194cd59e8f773956473

SHA1
1b9bf288fd38ebd262bf077733823c28187b4678

SHA256
522c5dbd4ef04898aac54aad066b20d749adf22820f347f0047c1f27f792cc08

SHA512
56b30736400c3715561e7c9b0c93f4698bcfa6d6e9062ae794089161acab7e63f6ad34228b700c9864c57406ecde5ee6614fdf0ecff7e81d1c8f36d1042c6351

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\738cc8cf2db1e6743615b6e23016ab0ccf74f85802216bc47b161cd0dfa23c9d

Filesize
6KB

MD5
4b8a9dc8daa40ee3fe9ca2406b0a6201

SHA1
2209e19a1af6e0b4ef96632136e449635e3585fa

SHA256
07d3aeca5d09371344e66abd6cdf2151d2f05d84a568d31307bec54ef850600c

SHA512
63d8df0a7902bfc6d83697aa34d14f70ded087591a0c534ce68e2ada936a63609344b6e717b9e09c736c8e2edf371e83837873317d21ac1b20c1fe40f2617cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCUAsMEs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUYoMEYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmwsEkco.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMUIUcQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMowsssA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKIYUcMQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsUscQoQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMEAocIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUUgAksw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcQMcwkE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGUsowco.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKYEAYMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYUcsgME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEggggos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIMMoAYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQYwEcUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hecMIgEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQQQsgUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgsMwQEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\amgccgoE\SWAwIIcQ.exe

Filesize
481KB

MD5
225fb63c7ebbeb5883f29e91adc451a3

SHA1
0417a90142cefa5bfe1cda1465d69e313b5e6d8a

SHA256
52044527a70b6b185c827fea2dc756c198ecc11a4060f0734ab0b366771fd643

SHA512
dfe7839a5a70ac6e9a8f7e3baec1570015f01a571376867e81974039225c3c0a99767b45f828f514a7a3fa8120a963595ead8a4b6c546fe6b3f3c22c78d685ad

Download Submit
C:\Users\Admin\amgccgoE\SWAwIIcQ.exe

Filesize
481KB

MD5
225fb63c7ebbeb5883f29e91adc451a3

SHA1
0417a90142cefa5bfe1cda1465d69e313b5e6d8a

SHA256
52044527a70b6b185c827fea2dc756c198ecc11a4060f0734ab0b366771fd643

SHA512
dfe7839a5a70ac6e9a8f7e3baec1570015f01a571376867e81974039225c3c0a99767b45f828f514a7a3fa8120a963595ead8a4b6c546fe6b3f3c22c78d685ad

Download Submit
memory/8-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/8-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/816-319-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1040-306-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1040-323-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1156-316-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1156-317-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1220-291-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1276-299-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1276-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1340-315-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1456-287-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1456-284-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1924-295-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2060-251-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2136-309-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2252-318-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2604-224-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2616-311-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2708-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2708-304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3132-297-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3132-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3244-174-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3244-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3388-293-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3388-294-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3460-298-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3460-147-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3556-313-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3556-267-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3556-265-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3880-191-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3932-264-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3956-307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3956-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4008-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4076-259-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4076-256-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4156-314-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4236-273-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4480-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4496-312-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4516-255-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4560-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-322-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4688-246-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4696-226-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4696-237-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4836-278-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4836-276-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4892-148-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4904-296-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4904-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4904-292-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4956-321-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4956-320-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5048-242-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5064-214-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5064-280-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5084-169-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5088-199-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5088-202-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5092-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download