e8c370012027c85f0ef910fa25385d8e8652df038cb9ac71294fc744334b215e

Analysis

max time kernel
143s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c24601317ac7790b94552d94d91e93b8.exe
Size

198KB
MD5

c24601317ac7790b94552d94d91e93b8
SHA1

5360294d421ce78a701fe14f2ac40376a6900bd4
SHA256

e8c370012027c85f0ef910fa25385d8e8652df038cb9ac71294fc744334b215e
SHA512

5c525b6838058cad8eedc78fb2dd277c76561f286ffa7a8cd36214f071cb4c3793f7d59190a1c7b83c996afb5344dc480d62de4541d47cf8399aaeea85966ca0
SSDEEP

3072:x81f/IOU5/r2RF9gb4Lp3p4dil/c0wbXODCJ8wU5MTnqIH+ejcNC:Kh/LA09yspZKuE7XOAHBTnqecN

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c24601317ac7790b94552d94d91e93b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
1772	JWwsYQIs.exe
3608	GAkoEcgM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWwsYQIs.exe = "C:\\Users\\Admin\\LMkgcYkI\\JWwsYQIs.exe"	c24601317ac7790b94552d94d91e93b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWwsYQIs.exe = "C:\\Users\\Admin\\LMkgcYkI\\JWwsYQIs.exe"	JWwsYQIs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GAkoEcgM.exe = "C:\\ProgramData\\MAUkYEYU\\GAkoEcgM.exe"	c24601317ac7790b94552d94d91e93b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GAkoEcgM.exe = "C:\\ProgramData\\MAUkYEYU\\GAkoEcgM.exe"	GAkoEcgM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LsQUYEwA.exe = "C:\\Users\\Admin\\WkkowIsY\\LsQUYEwA.exe"	c24601317ac7790b94552d94d91e93b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sUYkIcws.exe = "C:\\ProgramData\\kqwUgEEE\\sUYkIcws.exe"	c24601317ac7790b94552d94d91e93b8.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c24601317ac7790b94552d94d91e93b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c24601317ac7790b94552d94d91e93b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24601317ac7790b94552d94d91e93b8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24601317ac7790b94552d94d91e93b8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1880	3576	WerFault.exe	1016
1120	4440	WerFault.exe	1015

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1740	reg.exe
3464	Process not Found
2472	Process not Found
5116	Process not Found
1952	Process not Found
840	Process not Found
1800	reg.exe
4032	reg.exe
4448	reg.exe
2728	reg.exe
5104	reg.exe
4344	reg.exe
4612	Process not Found
4792	Process not Found
2088	Process not Found
4480	reg.exe
4700	Process not Found
2124	Process not Found
836	reg.exe
3552	reg.exe
1368	reg.exe
4576	reg.exe
4872	reg.exe
3244	reg.exe
3336	reg.exe
3364	Process not Found
4724	reg.exe
2168	reg.exe
1612	Process not Found
5000	reg.exe
8	reg.exe
1188	reg.exe
1952	Process not Found
4960	Process not Found
4792	reg.exe
4268	reg.exe
5020	reg.exe
2892	Process not Found
3436	Process not Found
2256	Process not Found
1812	reg.exe
3772	reg.exe
4864	reg.exe
4392	reg.exe
420	Process not Found
2776	reg.exe
4892	reg.exe
5020	reg.exe
1644	reg.exe
4588	reg.exe
1704	reg.exe
4668	Process not Found
236	Process not Found
4964	Process not Found
4452	Process not Found
3868	Process not Found
4992	Process not Found
744	reg.exe
3612	reg.exe
4152	reg.exe
1972	reg.exe
3336	reg.exe
4304	reg.exe
2036	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	c24601317ac7790b94552d94d91e93b8.exe
1776	c24601317ac7790b94552d94d91e93b8.exe
1776	c24601317ac7790b94552d94d91e93b8.exe
1776	c24601317ac7790b94552d94d91e93b8.exe
2780	c24601317ac7790b94552d94d91e93b8.exe
2780	c24601317ac7790b94552d94d91e93b8.exe
2780	c24601317ac7790b94552d94d91e93b8.exe
2780	c24601317ac7790b94552d94d91e93b8.exe
4044	c24601317ac7790b94552d94d91e93b8.exe
4044	c24601317ac7790b94552d94d91e93b8.exe
4044	c24601317ac7790b94552d94d91e93b8.exe
4044	c24601317ac7790b94552d94d91e93b8.exe
4696	c24601317ac7790b94552d94d91e93b8.exe
4696	c24601317ac7790b94552d94d91e93b8.exe
4696	c24601317ac7790b94552d94d91e93b8.exe
4696	c24601317ac7790b94552d94d91e93b8.exe
1176	c24601317ac7790b94552d94d91e93b8.exe
1176	c24601317ac7790b94552d94d91e93b8.exe
1176	c24601317ac7790b94552d94d91e93b8.exe
1176	c24601317ac7790b94552d94d91e93b8.exe
4056	c24601317ac7790b94552d94d91e93b8.exe
4056	c24601317ac7790b94552d94d91e93b8.exe
4056	c24601317ac7790b94552d94d91e93b8.exe
4056	c24601317ac7790b94552d94d91e93b8.exe
4276	c24601317ac7790b94552d94d91e93b8.exe
4276	c24601317ac7790b94552d94d91e93b8.exe
4276	c24601317ac7790b94552d94d91e93b8.exe
4276	c24601317ac7790b94552d94d91e93b8.exe
2552	c24601317ac7790b94552d94d91e93b8.exe
2552	c24601317ac7790b94552d94d91e93b8.exe
2552	c24601317ac7790b94552d94d91e93b8.exe
2552	c24601317ac7790b94552d94d91e93b8.exe
3104	c24601317ac7790b94552d94d91e93b8.exe
3104	c24601317ac7790b94552d94d91e93b8.exe
3104	c24601317ac7790b94552d94d91e93b8.exe
3104	c24601317ac7790b94552d94d91e93b8.exe
4068	c24601317ac7790b94552d94d91e93b8.exe
4068	c24601317ac7790b94552d94d91e93b8.exe
4068	c24601317ac7790b94552d94d91e93b8.exe
4068	c24601317ac7790b94552d94d91e93b8.exe
2100	c24601317ac7790b94552d94d91e93b8.exe
2100	c24601317ac7790b94552d94d91e93b8.exe
2100	c24601317ac7790b94552d94d91e93b8.exe
2100	c24601317ac7790b94552d94d91e93b8.exe
2212	c24601317ac7790b94552d94d91e93b8.exe
2212	c24601317ac7790b94552d94d91e93b8.exe
2212	c24601317ac7790b94552d94d91e93b8.exe
2212	c24601317ac7790b94552d94d91e93b8.exe
3244	c24601317ac7790b94552d94d91e93b8.exe
3244	c24601317ac7790b94552d94d91e93b8.exe
3244	c24601317ac7790b94552d94d91e93b8.exe
3244	c24601317ac7790b94552d94d91e93b8.exe
4328	c24601317ac7790b94552d94d91e93b8.exe
4328	c24601317ac7790b94552d94d91e93b8.exe
4328	c24601317ac7790b94552d94d91e93b8.exe
4328	c24601317ac7790b94552d94d91e93b8.exe
4492	c24601317ac7790b94552d94d91e93b8.exe
4492	c24601317ac7790b94552d94d91e93b8.exe
4492	c24601317ac7790b94552d94d91e93b8.exe
4492	c24601317ac7790b94552d94d91e93b8.exe
4728	c24601317ac7790b94552d94d91e93b8.exe
4728	c24601317ac7790b94552d94d91e93b8.exe
4728	c24601317ac7790b94552d94d91e93b8.exe
4728	c24601317ac7790b94552d94d91e93b8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1772	1776	c24601317ac7790b94552d94d91e93b8.exe	82
PID 1776 wrote to memory of 1772	1776	c24601317ac7790b94552d94d91e93b8.exe	82
PID 1776 wrote to memory of 1772	1776	c24601317ac7790b94552d94d91e93b8.exe	82
PID 1776 wrote to memory of 3608	1776	c24601317ac7790b94552d94d91e93b8.exe	83
PID 1776 wrote to memory of 3608	1776	c24601317ac7790b94552d94d91e93b8.exe	83
PID 1776 wrote to memory of 3608	1776	c24601317ac7790b94552d94d91e93b8.exe	83
PID 1776 wrote to memory of 2484	1776	c24601317ac7790b94552d94d91e93b8.exe	84
PID 1776 wrote to memory of 2484	1776	c24601317ac7790b94552d94d91e93b8.exe	84
PID 1776 wrote to memory of 2484	1776	c24601317ac7790b94552d94d91e93b8.exe	84
PID 1776 wrote to memory of 4032	1776	c24601317ac7790b94552d94d91e93b8.exe	86
PID 1776 wrote to memory of 4032	1776	c24601317ac7790b94552d94d91e93b8.exe	86
PID 1776 wrote to memory of 4032	1776	c24601317ac7790b94552d94d91e93b8.exe	86
PID 1776 wrote to memory of 5028	1776	c24601317ac7790b94552d94d91e93b8.exe	87
PID 1776 wrote to memory of 5028	1776	c24601317ac7790b94552d94d91e93b8.exe	87
PID 1776 wrote to memory of 5028	1776	c24601317ac7790b94552d94d91e93b8.exe	87
PID 1776 wrote to memory of 4448	1776	c24601317ac7790b94552d94d91e93b8.exe	89
PID 1776 wrote to memory of 4448	1776	c24601317ac7790b94552d94d91e93b8.exe	89
PID 1776 wrote to memory of 4448	1776	c24601317ac7790b94552d94d91e93b8.exe	89
PID 1776 wrote to memory of 4800	1776	c24601317ac7790b94552d94d91e93b8.exe	88
PID 1776 wrote to memory of 4800	1776	c24601317ac7790b94552d94d91e93b8.exe	88
PID 1776 wrote to memory of 4800	1776	c24601317ac7790b94552d94d91e93b8.exe	88
PID 2484 wrote to memory of 2780	2484	cmd.exe	93
PID 2484 wrote to memory of 2780	2484	cmd.exe	93
PID 2484 wrote to memory of 2780	2484	cmd.exe	93
PID 2780 wrote to memory of 4328	2780	c24601317ac7790b94552d94d91e93b8.exe	95
PID 2780 wrote to memory of 4328	2780	c24601317ac7790b94552d94d91e93b8.exe	95
PID 2780 wrote to memory of 4328	2780	c24601317ac7790b94552d94d91e93b8.exe	95
PID 2780 wrote to memory of 4120	2780	c24601317ac7790b94552d94d91e93b8.exe	97
PID 2780 wrote to memory of 4120	2780	c24601317ac7790b94552d94d91e93b8.exe	97
PID 2780 wrote to memory of 4120	2780	c24601317ac7790b94552d94d91e93b8.exe	97
PID 2780 wrote to memory of 4692	2780	c24601317ac7790b94552d94d91e93b8.exe	98
PID 2780 wrote to memory of 4692	2780	c24601317ac7790b94552d94d91e93b8.exe	98
PID 2780 wrote to memory of 4692	2780	c24601317ac7790b94552d94d91e93b8.exe	98
PID 2780 wrote to memory of 4340	2780	c24601317ac7790b94552d94d91e93b8.exe	100
PID 2780 wrote to memory of 4340	2780	c24601317ac7790b94552d94d91e93b8.exe	100
PID 2780 wrote to memory of 4340	2780	c24601317ac7790b94552d94d91e93b8.exe	100
PID 2780 wrote to memory of 4988	2780	c24601317ac7790b94552d94d91e93b8.exe	99
PID 2780 wrote to memory of 4988	2780	c24601317ac7790b94552d94d91e93b8.exe	99
PID 2780 wrote to memory of 4988	2780	c24601317ac7790b94552d94d91e93b8.exe	99
PID 4800 wrote to memory of 552	4800	cmd.exe	105
PID 4800 wrote to memory of 552	4800	cmd.exe	105
PID 4800 wrote to memory of 552	4800	cmd.exe	105
PID 4328 wrote to memory of 4044	4328	cmd.exe	106
PID 4328 wrote to memory of 4044	4328	cmd.exe	106
PID 4328 wrote to memory of 4044	4328	cmd.exe	106
PID 4988 wrote to memory of 1808	4988	cmd.exe	107
PID 4988 wrote to memory of 1808	4988	cmd.exe	107
PID 4988 wrote to memory of 1808	4988	cmd.exe	107
PID 4044 wrote to memory of 2292	4044	c24601317ac7790b94552d94d91e93b8.exe	108
PID 4044 wrote to memory of 2292	4044	c24601317ac7790b94552d94d91e93b8.exe	108
PID 4044 wrote to memory of 2292	4044	c24601317ac7790b94552d94d91e93b8.exe	108
PID 4044 wrote to memory of 3712	4044	c24601317ac7790b94552d94d91e93b8.exe	117
PID 4044 wrote to memory of 3712	4044	c24601317ac7790b94552d94d91e93b8.exe	117
PID 4044 wrote to memory of 3712	4044	c24601317ac7790b94552d94d91e93b8.exe	117
PID 4044 wrote to memory of 2028	4044	c24601317ac7790b94552d94d91e93b8.exe	110
PID 4044 wrote to memory of 2028	4044	c24601317ac7790b94552d94d91e93b8.exe	110
PID 4044 wrote to memory of 2028	4044	c24601317ac7790b94552d94d91e93b8.exe	110
PID 4044 wrote to memory of 4388	4044	c24601317ac7790b94552d94d91e93b8.exe	111
PID 4044 wrote to memory of 4388	4044	c24601317ac7790b94552d94d91e93b8.exe	111
PID 4044 wrote to memory of 4388	4044	c24601317ac7790b94552d94d91e93b8.exe	111
PID 4044 wrote to memory of 1468	4044	c24601317ac7790b94552d94d91e93b8.exe	116
PID 4044 wrote to memory of 1468	4044	c24601317ac7790b94552d94d91e93b8.exe	116
PID 4044 wrote to memory of 1468	4044	c24601317ac7790b94552d94d91e93b8.exe	116
PID 2292 wrote to memory of 4696	2292	cmd.exe	118

System policy modification 1 TTPs 22 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24601317ac7790b94552d94d91e93b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c24601317ac7790b94552d94d91e93b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c24601317ac7790b94552d94d91e93b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24601317ac7790b94552d94d91e93b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found

C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
"C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\LMkgcYkI\JWwsYQIs.exe
  "C:\Users\Admin\LMkgcYkI\JWwsYQIs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1772
- C:\ProgramData\MAUkYEYU\GAkoEcgM.exe
  "C:\ProgramData\MAUkYEYU\GAkoEcgM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
    C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        8⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        10⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        12⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        14⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        16⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        18⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        20⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        22⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        24⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        26⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        28⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        32⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        33⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        34⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        35⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        36⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        37⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        38⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        39⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        40⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        41⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        42⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        43⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        44⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        45⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        46⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        47⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        48⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        49⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        50⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        51⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        52⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        53⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        54⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        55⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        56⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        57⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        58⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        59⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        60⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        61⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        62⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        63⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        64⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        65⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        66⤵
        
        PID:1780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        67⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        68⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        69⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        70⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        71⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        72⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        73⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        74⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        75⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        76⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        77⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        78⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        79⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        80⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        81⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        82⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        83⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        84⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        85⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        86⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        87⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        88⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        89⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        90⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        91⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        92⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        93⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        94⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        95⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        96⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        97⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        98⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        99⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        100⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        101⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        102⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        103⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        104⤵
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        105⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        106⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        107⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        108⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        109⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        110⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        111⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        112⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        113⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        114⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        115⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        116⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        117⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        118⤵
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        119⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        120⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        121⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        122⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        123⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        124⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        125⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        126⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        127⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        128⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        129⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        130⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        131⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        132⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        133⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        134⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        135⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        136⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        137⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        138⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        139⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        140⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        141⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        142⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        143⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        144⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        145⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        146⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        147⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        148⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        149⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        150⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        151⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        152⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        153⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        154⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        155⤵
        Adds Run key to start application
        
        PID:4964
        
        C:\Users\Admin\WkkowIsY\LsQUYEwA.exe
        
        "C:\Users\Admin\WkkowIsY\LsQUYEwA.exe"
        156⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 224
        157⤵
        Program crash
        
        PID:1120
        
        C:\ProgramData\kqwUgEEE\sUYkIcws.exe
        
        "C:\ProgramData\kqwUgEEE\sUYkIcws.exe"
        156⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 224
        157⤵
        Program crash
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        156⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        157⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        158⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        159⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        160⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        161⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        162⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        163⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        164⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        165⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        166⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        167⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        168⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        169⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        170⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        171⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        172⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        173⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        174⤵
        
        PID:2732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        175⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        176⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        177⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        178⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        179⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        180⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        181⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        182⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        183⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        184⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        185⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        186⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        187⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        188⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        189⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        190⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        191⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        192⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        193⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        194⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        195⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        196⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        197⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        198⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        199⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        200⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        201⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        202⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        203⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        204⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        205⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        207⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        208⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        209⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        210⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        211⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        212⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        213⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        214⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        215⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        216⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        217⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        218⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        219⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        220⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        221⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        222⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        223⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        224⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        225⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        226⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        227⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        228⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        229⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        230⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        231⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        232⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        233⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        234⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        235⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        236⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        237⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        238⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        239⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        240⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        241⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        242⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        243⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        244⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        245⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        246⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        247⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        248⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        249⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        250⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        251⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        252⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        253⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        254⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        255⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        256⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        257⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        258⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        259⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        260⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        261⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        262⤵
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        263⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        264⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        265⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        266⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        267⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        268⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        269⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        270⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe
        
        C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8
        271⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8"
        272⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUQYkMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        272⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQEsssoI.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        270⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zggAoMcc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        268⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWkUQYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        266⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BScsAMkk.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        264⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKUgEkEM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        262⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsEkcocw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        260⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoowQsEM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        258⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmcwQwQc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        256⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWswUYoE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        254⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGMwcoEo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        252⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQkEkcow.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        250⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCUAYcgI.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        248⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmUggogY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        246⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOUEMsUY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        244⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUcMAsoY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        242⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEMscskg.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        240⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wywwoIsc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        238⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewgwcAEs.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        236⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\susMEUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        234⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoQsEcYI.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        232⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCwMwQwM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        230⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuQMIQgM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        228⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biMocIII.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        226⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayUgsIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        224⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqoswsog.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        222⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:1188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYsEkEoA.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        220⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYEUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        218⤵
        
        PID:1172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies registry key
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCUEgcYw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        216⤵
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGUQUIAg.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        214⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQIgwkQA.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        212⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyAkEcsE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        210⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyQMAMAE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        208⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAkYocYo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        206⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYkEgMEw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        204⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmoIQgYc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        202⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEEkwUAE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        200⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSMMMkIc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        198⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jygEUIIg.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        196⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCMUokEY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        194⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQMUEEgE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        192⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsEMUswo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        190⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIYYQMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        188⤵
        
        PID:4188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEUQskog.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        186⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REQssIcc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        184⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pokMMMYw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        182⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykwscgIM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        180⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYMYgAsg.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        178⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyUwoMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        176⤵
        
        PID:2784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAkwocAk.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        174⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYkoMEwk.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        172⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMAMwYQk.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        170⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQwwMMww.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        168⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCkIUQAU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        166⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QagkgkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        164⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyMMwAMo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        162⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCAIoccs.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        160⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FagkEEog.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        158⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqoUQQwU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        156⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCYEEEQs.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        154⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mosskkoc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        152⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYYIwcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        150⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imwYEIkY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        148⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEEIgccw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        146⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riwUwQcw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        144⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwUMcMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        142⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYgwEEss.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        140⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKQUEgUo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        138⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMcIMEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        136⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuAUQscA.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        134⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsIgwoUw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        132⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOYwYIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        130⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiQMQsEw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        128⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaQUIgco.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        126⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eesMkYwI.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        124⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOgkwYos.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        122⤵
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        UAC bypass
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgEoUIwc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        120⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMcMAIAw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        118⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        UAC bypass
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAsoUwMo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        116⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USksYoAY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        114⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECgMYMUU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        112⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSkoIcsA.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        110⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMYcYwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        108⤵
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        UAC bypass
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aukQkQws.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        106⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUUsQIgE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        104⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCMQEMAg.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        102⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nisYAoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        100⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEUUoQkM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        98⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwIckQcA.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        96⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyYEcsso.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        94⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiMYUQIo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        92⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BewUYgsM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        90⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCIwQwgE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        88⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swEIAoMY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        86⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwwswIM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        84⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkQAcIso.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        82⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeMAYgcc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        80⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geoEEYYY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        78⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAAUIkQE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        76⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmsEQgoo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        74⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQcsAoog.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        72⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCcYwYQE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        70⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmMQQIww.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        68⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyAgUsoE.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        66⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQsAQksg.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        64⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEsswYos.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        62⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmIgoQQA.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        60⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmksMkow.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        58⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAAsMckc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        56⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUMEoQMI.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        54⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsEEUwAU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        52⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auwYIEYo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        50⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKwMEsgc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        48⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMIMAoQI.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        46⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akwoUswU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        44⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWsgEEsY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        42⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKYoQIcU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        40⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcQwgcIU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        38⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksAQMQgw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        36⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOwckoUo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        34⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcUwAMUA.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        32⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoIogAwM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        30⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGEUUEsM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        28⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaAgUAQI.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        26⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juUYQcsk.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        24⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWwgQAQY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        22⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcgMsYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        20⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCoUowAw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        18⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEQQoAQM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        16⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgUcUkAo.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        14⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSgYsEoU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        12⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWEEcIAc.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        10⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcsEksoY.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        8⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2028
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyQQcAsU.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
        6⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3128
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMYkcUEw.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4340
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4032
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYIAAEIM.bat" "C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:552
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4440 -ip 4440
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3576 -ip 3576
1⤵
PID:4328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MAUkYEYU\GAkoEcgM.exe

Filesize
199KB

MD5
8c52b9796402b75e1ad3bda43634478e

SHA1
0d961edb95059e9bba945ad1c6f7204ca1b9f5d5

SHA256
465cbf98c6d0db7338ecdd46ed759be539510e3e298eef19058d459f0c586946

SHA512
3aaaed113c9d411161741ea2f7407368e138d26fe85b64165751f4e590b7287b71b330f474bd94b7f16446993a403809cee5b9fc8ab8d065654517c22a87d3a7

Download Submit
C:\ProgramData\MAUkYEYU\GAkoEcgM.exe

Filesize
199KB

MD5
8c52b9796402b75e1ad3bda43634478e

SHA1
0d961edb95059e9bba945ad1c6f7204ca1b9f5d5

SHA256
465cbf98c6d0db7338ecdd46ed759be539510e3e298eef19058d459f0c586946

SHA512
3aaaed113c9d411161741ea2f7407368e138d26fe85b64165751f4e590b7287b71b330f474bd94b7f16446993a403809cee5b9fc8ab8d065654517c22a87d3a7

Download Submit
C:\ProgramData\MAUkYEYU\GAkoEcgM.inf

Filesize
4B

MD5
d6444b83c84d2ac95da86a40758e820c

SHA1
1c918b36852f685dd43cf30f15ac74a515f04f7a

SHA256
d10ff1121d5f25fe19ffd37e008aed955efc64ffb271d993059863c92d722096

SHA512
864c98216392cc23882fc0615830650b2a88088c40aa1ac1b8181ed40ba1643364b2b0984bdd617bdc6aaa986b97e4053e8349829a73c94b775d04abd59b0d1f

Download Submit
C:\ProgramData\MAUkYEYU\GAkoEcgM.inf

Filesize
4B

MD5
35bc97294d3b938d5f6522b3724add49

SHA1
9c11d5c02c316fb975538eff1a6c9cbd1c0c2e0c

SHA256
59a05f254f9678b2295fde0b363decff8c53c0bcbb050978af2659416aed58a6

SHA512
390986b9f50c859246f5dec7a0191f1c045032be670ce5ff90817a4b8e4bb7ef6f0dff0a7d4f00072405e7f5ec62a64135f765355cbda4a9a65fc3147a1e31d0

Download Submit
C:\ProgramData\MAUkYEYU\GAkoEcgM.inf

Filesize
4B

MD5
5e7f92cee924204f190943c47716dc13

SHA1
07898d6b62472a7f9629f334f3bb3df2587a2cb4

SHA256
6070400a8e6b9e0357bdaf9dd0e19a664f1be34562f0f2efe1fc1bef2b24cabe

SHA512
438a30098267118da5e466655404f416fb54b2bf1d29be75cc9991db48152f64d15ada041b86e720f7c4895a6ba22053c9c29c5a26b094700284dbaa097e6a2c

Download Submit
C:\ProgramData\MAUkYEYU\GAkoEcgM.inf

Filesize
4B

MD5
8fa949fb1672b433a104baf18bceb8fa

SHA1
5b84ebeb35faa668b2de5281917a154fec713681

SHA256
6cc3a3709e4814e62eba26992748b325572e3aa509e07ad2689f7555ec11d5b1

SHA512
006048d42cacd9baac26578ba307b462961cf0c533e3999a394feddd69b528d15abd88d7e7212bc3b613d35c0aa27816e6db87f16d9f40b6dbeefd71244c57bd

Download Submit
C:\ProgramData\MAUkYEYU\GAkoEcgM.inf

Filesize
4B

MD5
2528303311a189f5b4d54974ae90a56d

SHA1
5fbd2093e3402c26bf16fd2264f7df172438abb4

SHA256
e0654094ec89193bc692fffe8fddf70a2ca88d805d02df39c2fd6d0f18a1acae

SHA512
e2ecf2551d68f3afea300bfe88403b6f4dec6ce4c8da21e7d3c3ef10c7b3c7ce52de3d1e0d7be2edb56e42b957525cb0b414d7364f8772da1e1fc5eb21317c0a

Download Submit
C:\ProgramData\MAUkYEYU\GAkoEcgM.inf

Filesize
4B

MD5
ee3a8a2f9299a8ce6d20c5da4dc11dc2

SHA1
7724f91c34d5da1fce3f9d1fa20bd3fcb664045d

SHA256
1701b04d8acf322040ecdc01ec60cf08e98e25d641284b79bc7027f737b19fa8

SHA512
d0393207ca22e0ed28fdb203a2b1d5443dd32b9e332bc2af88cd1ed43393d777cefee8c94dcf6ddc42a2af8a72abfffe6c7c3a19effde741bbf22a6bfda459fc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
782KB

MD5
3743825e9d63c122b19bc8ca25222622

SHA1
aa7fb94e0b041b151386c3fd27078e512981f077

SHA256
fb09f7a1b8883dea21c9f3cbf48e6dc476fbb5231dfb1646ba658cbd96005036

SHA512
e65bbd0a216510ee59331bd519c0aa90fdc925a9b8e57c9cf2215e133669d6a28d40fd0b96c31999cf50f57c9e576d76433017c3e2844dac2847cc91781679b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

Filesize
184KB

MD5
88b5ac9a1a90e26da10f1d9a0cf1d6e1

SHA1
153aad408f73bcacc8a3497f6458ae9982f0b169

SHA256
63d8fb82ec69091f9112e5cf89332202fbfcd6de6ebb4c27e2e4f455a04b3c31

SHA512
2ce716a2fdb84b40e23abf6c2b4f9b02ada7a14a53800d958ea1c78acac180ea06960403b4f84255c65a37b64babe9c609aab31f31e9e8aa819a199886560b99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

Filesize
193KB

MD5
98c3acdc0326d9c9c0d8599249093ef3

SHA1
edf9252aedfb637c5e18c03dcd20902be5734cb4

SHA256
c69f8ace8edf07a3cf09c1c741926fe855dfb375ca0d158cae1a94d8af08020e

SHA512
3fda142fd09d4525aa7e7d3252c29c964d1c5eeea5c83f797afe27a8613f4f13521866bdc245923d78f35a541b9614a2fd129d74c9575b0ed08bbb3fd3932841

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
184KB

MD5
a29286b0857a6d409cbe4ac61ad35873

SHA1
0a36062c9a35d9a070564bc9afa7f0959e8b23ac

SHA256
25636b5740851ed67603b5b4d19eff8c9fc458f7a3457da46f5342abcbf081ed

SHA512
edbce964e79d137d241e5a57b49540e6e910b38ab170c6c3785495eaf522517374f34d8eee0213a1291b0e849342555ebf126ea2d98eceb62859911246114c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

Filesize
204KB

MD5
2d0c38fb84866206838a2018a24c9066

SHA1
6c0162dd27353e76fb53ba7228834eb57263e548

SHA256
6b413fa3df830df4e4cd89752175ca4087b981672732efb84244ce31403423d0

SHA512
781dde0ef760af3b8016d5dd153591cf80104522e13bd6b86b555d4ae39ac1f4342fc27c34b6ebf434710487647462947e4a70436a53cd0381a9a469acfc765c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsIE.exe

Filesize
658KB

MD5
d6bc4779b7302e9fdceb8c446eb8307a

SHA1
5d5d8df635884ff14e5fc3d5af7d3371dcccc2c7

SHA256
445a40e5ddc278a105f731a12c59ac45498304c4a9c4c04d64f3e04199ebd5ca

SHA512
6d5623b7f03d5730dfc8e8683aaa696834d0ede8d64c25b367652a9ab63443b5641ef78ba3df1d987b03ba3c6e3e1d5b9c6190d5481b0fcc1914d85324d320d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGEUUEsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcsEksoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWwgQAQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIkm.exe

Filesize
183KB

MD5
4706f94e404d993b676c3a86413b7158

SHA1
71f114e0722aae17740895025ce480839933d1df

SHA256
01293a0fec607b8cdba043bc3a9764930b1f4531178a964968ed596fa07e4ee4

SHA512
5d2ad9ee524f3742ffcea575f9a481522bcfd42f83cdb77e13ab74e0b6545ef17078aad532be9f0728fa06653e18765142e431693078f2841aac3e8bf190060b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQQw.exe

Filesize
208KB

MD5
2ae05783b197b9a6272ac0f4f2643114

SHA1
d8ee155b9f23fc1770bbcee42fdcf72bd840f776

SHA256
b17578f6bc4db290e2a361edb2316e2441db7ca1ebc1101598f17889f185b34b

SHA512
254fc38bbabfe06574c18ac2d0e8675e5593d87600f8af0a86df0c9576dd4b80a21178a6ad7e5ee49d53dc0c499b5febaea33b079ecfa591251b7301caf1826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaAgUAQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoIogAwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gska.exe

Filesize
648KB

MD5
1fd93393628d12c4d6517ea993a4aa1a

SHA1
4bd4f2e7f66c61fa59d7e4bdd2aebfbac3384fce

SHA256
8a08d59d24e7091609a11bb34092373de2a0f2f7663c35df0a02d315677b9c24

SHA512
e23a64821fbb576ee55ed9327c6b1cb79f78da3bae09f925ac7460eddad1821146665bce7a686f302d2a667fe6564a6204145e87d8ff9405f3e3b0dd1aad0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUko.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAkW.exe

Filesize
202KB

MD5
e980bc92c3087feff3ece559eefdada3

SHA1
f71dd2a72e5de729c0f52e8171976248a1ea2972

SHA256
0944e3e829281f0c34de7cdcae596d349aacdd70245d7aff08b40e90bddbc893

SHA512
b68282f44582222112183ba8dce939940585dde951119aae643321dc2632e54a8158c90c5d593cbf96f7178cfeead070885eb7b9342b7e9fb0276be39b54035e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUwAMUA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMIu.exe

Filesize
190KB

MD5
9e8dc4e1a64783c0cf6d3d62d9d511e6

SHA1
5a6e0d4f8b41861b6098d3bb149c2738676efaba

SHA256
34b38e324512096600601a15e06465ed06a968c363768e6cb1d043cc17ff34b4

SHA512
957f7af7abbd0c3229b1bfc938d3a529ed0f474393429cfe1c8f6bd8265ff011b2c2733003360568f91869116d8f722685546c5331cf85044cf2d44f69ad5c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQEI.exe

Filesize
563KB

MD5
3ff1b93aab787f4b2de4714d019f649b

SHA1
0c7313f1263a85c75fa49c6af9b8736c8208189f

SHA256
b6ea776f9334a8a7e5f40924db7268febff4bad36bebe973ee830521436cfe2c

SHA512
1d22e9d2edf03469df633c3be2e2b521ac4f491bc525ad19b0db82efb9d1a3f1e08a84f5f14ec50bf3f224b1dddff88d5d09090f13d6b42a7315c43e51a012ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgUcUkAo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEQQoAQM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMkm.exe

Filesize
191KB

MD5
63f7e7e8fc63707ba601ae72588e2348

SHA1
a3883f540e8626cfb815d8053cf7dc83c7b0c8a6

SHA256
4bc6c628f64c974929bcff3be262aa5085d6a66809a494dc3125e28639049f17

SHA512
d50d8942330d901dffb06e48a1bcde41a00719cdc39d4a06e741664eea037abed4bac44100e3c9e017e45e7d72dc4aff2699e5b25b4c65766d7019d7d8ae1ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUIq.exe

Filesize
190KB

MD5
d16779a12b57bdfb507fc8dbb97061ae

SHA1
7f406ad0e5bf13b61ccb2a70fcd47f8a084f00b5

SHA256
ed1eae7c626264f6d9da3cc5a7e484811ab6f3aa5da927b1a257df7fc512486a

SHA512
62f253e1ea5f26a6b5c506249caa0f25468ec3ef542231e9d9fc4ebb6c649245612fa53515d9ada73ee619126237401a0a6fbca0470e95a679c2ce9411e73efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkEu.exe

Filesize
313KB

MD5
6e59f21b3c36d93024cadd646214e767

SHA1
b428ce8b97591c8a7cfe96aad4c5790696679e54

SHA256
0f90d124991cd47902203e020a1881d5120f798aab4d39172d584a862651b503

SHA512
a7efc88cde884c6a3fc125f2e0d2e1f109952f3a1570d5a1090dd8e94b0128f02f55b768f91d719a20ed483ac5ada3a30f24ab01ba9b6bc16cecc9a2b2caee8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAIi.exe

Filesize
199KB

MD5
a4469a88a00b1b393702667b7fe652ac

SHA1
751daa5781c3c3d624521359214d09f100f36e00

SHA256
a36191059d4dd7aef4ba8f9d761a97e984427765a8f551b6d5e7566bc0955684

SHA512
830b0643d15e0f6ad50cdbcc0721ffe948550b0aefd85bdfc3ad8f593a1f84c0570e62da93c6272ebb92ef4896ea6914ab353fcf3c327a82f6c0ac3862a3b71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEsE.exe

Filesize
204KB

MD5
89f418dc48a4011d334ed3d046345694

SHA1
504921c9e1b357adb8f8f3f464410a1d3beac768

SHA256
e1498a5b55bb01af695bfebf334b9c4b8411023c765c823254f223291f432c38

SHA512
88642470db12863c55e64937a1d132debcd47c0f34bf64a37058fa05ede84befd81d61aa3d3d4661dee1214ba5b1339c89813f43ce4a1ac6ec1c3500f0ab4f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUkW.exe

Filesize
229KB

MD5
e6f0e4c1784b5fe036b2f7ffa258e723

SHA1
bfa7819b736ebe0bdd8841faf85a2c0a2fa399f6

SHA256
5f2eb89cc3a0ed76695cc4f0a2d698d626edd017455afb3348f603da0a7a2a2a

SHA512
23a2768b67d3577ba63c24f39fb3657473e276c5c3e22f1f29d70611dfc76070d458db91f6c9549a3f0707bdc49a2cb289087429efb4a0b7c2acf3d6d2b07619

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUsS.exe

Filesize
208KB

MD5
d27c68ca1c98cb312dcddae27023c96b

SHA1
7ab2e8d43e2acc756c117d6fe7533c8af84282d0

SHA256
d6deafc6cdab91d3825b6549e90d77801316dc53ca3e0de0a47217a460f9eb1a

SHA512
410ecc2886897ca6937b3a0347e7d91b6d071a6d80b243c2c13e6a7d65934c1749eea44fb4eb7dcb83b6b959c46ecf78e84e9dce58b5e1baa7c9ae80b21fe4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwoC.exe

Filesize
199KB

MD5
0a2d66934862206b1bbe973ba9ffaa08

SHA1
d04d55b2b76ef4e9e52fb408d5878d5f4e72e79e

SHA256
bb5e58ee7dea5224bfbce2ca07e014c9bb12367e018ff166e2d0ce9c0327baf4

SHA512
77bae87dea1748e5af6a1a4a408c824af61d35ec76297644808333f3f81789a669ec52b744e0cb0b1389161880dfd4b1401bbe1c96f99518cdc5d9a7bebed267

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOwckoUo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYC.exe

Filesize
5.2MB

MD5
f2b8eb57d8120f0148f1339a081a1151

SHA1
eb74393467ae791c2c1535ededaa7cf3b72cf11c

SHA256
8208b59351567cbe16fb0ecc796434a7e71c9ca8f151a1a07a07f6b3dc99c241

SHA512
4d8beb2de058745ef91d87ca49e24d1ce78192bdef0a54fc4d4b8c8c3212d6ae3956eb1771ee1e385df44bac5d5cc96c9489b263ab19704b6f2fdd6b83b74cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMMC.exe

Filesize
198KB

MD5
538f16fcb35d6dfbf00fdb69761b4ca4

SHA1
5736de0d54686687fa64267899c9ed006378c188

SHA256
7d59ef6ffe6bbf3719077e3f3888b05cfd2f411937a8e7d7e3f4f68e504fafb9

SHA512
8a043c392d49fa9adccf3c5c5425599841864287616ae1eff3e5266d5bc4df25d7881525dfa175295f744385310ed53666980319fa30a777c93710a168fd8c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwcI.exe

Filesize
634KB

MD5
000da1bfdf3e2a05db55f27d86ef2d17

SHA1
a12507b8d1d9623e0ffdd0fcfd84d32441290923

SHA256
d19cc1e45f724e5f6d56449823fda38a5796fbbeb0b5f2513ed4411073c7de9f

SHA512
636f7d772c1756af5ef8a556bbd1f4e6ceb821b8bceb357ebfb3453e7a9c737e0c4923727203fe6237b8415e1cc789209a385f337a9b994397be0f8ce90a5ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkgM.exe

Filesize
190KB

MD5
d6c27983cc948aed8bc3eec859206034

SHA1
1644603c93a095f5b17a42dbd61280c8e3ec7d19

SHA256
69860ec07d96607093a6a09011bcd1c7834f94e314df1e18fbbcbd6e03cfcbc0

SHA512
d8e75afbbed212682138472380bb48b6047ab961c7af64b73915706ce7cb337c88fb5f495d798bab568ff00c474060ceb95adcf0e87ffeca3e05589f536376d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TyQQcAsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TyQQcAsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoAA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEkU.exe

Filesize
185KB

MD5
30271a40fbe65741797b5e9646d6406b

SHA1
27974369ec9ed827f56e3209ce5524ca622334f9

SHA256
44bad181c4c6371e24f31ba1cdf72c5098bf8a5d36b6e793fb8fd63e11869e70

SHA512
0bc9929d3cb120903af8b110112ce275be5d8fe5330ba034ca4448beba6075e62d8ec44602f30531adfcb973866e335e725e32838bf9bf534aff4f3dae285e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoEy.exe

Filesize
204KB

MD5
307be77f64bda3c4b603a29904bb7bad

SHA1
7dd722b1bfbdda55c09973e71243a104f99ce673

SHA256
55120b88c52e1ed7ee986cb64b60f537dd71528ffbf6b89d0a8e8663d645f6a1

SHA512
fa155bc3ef11a6b70c8c149974f34a62dabed1fb941dba1160cc199658e8ef5d6c75611730dbc0c18dcd5fb58b52263dfb264f182a8911b095e3f4ab305e7ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYIAAEIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsEe.exe

Filesize
207KB

MD5
f67ce06d9e6be3ddb7381c2fcb40aa77

SHA1
0d529ee57ff2c03c359a9e3c911a0a2e3996653d

SHA256
3dfb21d43439132354711480cb89c8c1ce4818856977f8da52ffcb811722a3b4

SHA512
a888be335355123da51a04157ba43ff279f857908e7e632ee4b0c54463ad2b847300c2281f0f046407c956a5445395bb04aa95796d9bdca7195ca233ffe6c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAYq.exe

Filesize
649KB

MD5
7d82547ee5c3509670756e007477dd83

SHA1
c02a39aface0f2e4abe9f9ab36a2c108219ebbba

SHA256
4464723b778114e85fc901d8c67862a94c9098f381487da6f1dfe496d050cdab

SHA512
b6e88d2bb6322f4a7bd4f4dce946305267e0808380ec674b565e0e1024e53bf98659c1ee1619216ccdde17ef7bebc47b938c8ff6e016ad2c39a738a983012963

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQYI.exe

Filesize
197KB

MD5
ab079f1b4bd383ebaa89279114745938

SHA1
05797bf6d31d1be0e34ed37b73770eba9be972f7

SHA256
6bf1f4b1560a14e14561ce641ab392d32d131f573b0545282e3fcc895d1e4ba7

SHA512
a08c197666d349dfbd24aaf9a4b76cde6987ffa0c855f8c82dbd5f77136c8f92c8dfe2526f19a22e26011c34f4fda0cf89dd08baa2f85c0ad6ec2f0613f7aea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24601317ac7790b94552d94d91e93b8

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEwc.exe

Filesize
185KB

MD5
dce72d39378e41d035579f8727ca88f7

SHA1
1e74810b24dea6777829a12d86b6a58d9e52f4f3

SHA256
5641433ba872aedc93bfcaad7ef2ad4f0055d20bf05677b2dc925125c12579b2

SHA512
682d5ebdeca271ae3a9211d70cf7c129a56ac3543e53d9495b3c3b4fe233650b1ff286532f4633fc89b2732f3db80410831183f08f9d2dce1fa3c685c2e3ac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcgo.exe

Filesize
382KB

MD5
0c88f729b6e045839a06fd82cf068dc5

SHA1
2dc365a9b7260475897fee5a7a096e0603ab4c3f

SHA256
54336e46905cc4f0059c724a06a4d0d74ba87b80ca80a272697b0076060906a9

SHA512
c5094915ffc8fcf227979ec1e2c13fc34cfe61ab229a90627a46b113b92ef160c487e057ae5eaf8aa6e65865de3ec863409db9244689e423231cec983103bf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwYc.exe

Filesize
823KB

MD5
168a8b07becb8e49e6c8cf33a9a45a22

SHA1
4131bb41724734286847c4c9d6b6eded2f82169c

SHA256
a6d7493c183617add47a1d2394d0062683f3f2fd83b0031261c79845b17aa9f6

SHA512
f437f48acf2c43c955066349d2802d3714c7d10e4c83bccfb896eadc1080db9f6402385ea2399f4a47bf65450157969f26cc9f28e8a1072d7980e50169641457

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSgYsEoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUwW.exe

Filesize
221KB

MD5
2362c38d52b3f35119f4a4fa22a30fa5

SHA1
b83db5e2a24b04e2bd27ea850592d06d2a8da876

SHA256
ad55ece79f86014f2dc2c94a35749273e767d799aaa65fbb937ee9980ca79c34

SHA512
fe4647722820a033fb7f808e9a2ab212744799ef86152a47a773f1da7bc354ee0220c8203c0304f0ab79c194702ad1438eb9ac82b6d83f9489286d4902bf46f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\egAE.exe

Filesize
200KB

MD5
15b5ba0786c777f010062e2120aecf7b

SHA1
92f77906804d2e85c7baa0ef6a8e345996302d92

SHA256
40569ae2b07cf54a59a945afee7c9dc69e72875b967b393847be3d30b7254b1d

SHA512
c492f3448469015e7c799964bacc30c910c77396520794a9aa9846b2f46a9f3140b08747335aec68ffae1abbb634e09ddd0f3dc5317cec11d19ae6ec0948ced2

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEW.exe

Filesize
209KB

MD5
d6255d992b863f7a6df5275062e1763a

SHA1
13f7887b2eae7fd493c533ea412d25fbb8c7947e

SHA256
1eb9765c830b361d19871b32b004c30fccd5abf7bc567ac0469335600a906f07

SHA512
81292b537b8bd919d9a66abf516666514bf013c663bc39d702737dd3200fdef1982dc49301c901fe5fc62c49c9e46d4bb164e95deccb5491cfa3546b5c83e16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMIS.exe

Filesize
198KB

MD5
e5905eb4280e24f6e31ff5666008ccbd

SHA1
045a4faffc0919a6e7bf9a3d9a1d448cbbb168de

SHA256
2c78b2a71911e82ff637d864c85da0a782c02dcf8ddb6e7077b9579415e7fe54

SHA512
9381e0b20f25e7356069f3e60b96ba16455da18e5b3021f72836cc7089e1493ad68b39c15a207ccaf0ba1f1835873b35b8927b165ec7f514117bd1fcc15ae7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkoS.exe

Filesize
181KB

MD5
fc626536557aaca897c6ef457e62aa7a

SHA1
b79c93ef47047b574320a0916f475765663d0d0f

SHA256
9233d15e1817fd0f36ede3bc95cdf6d3222964181ba9333325c98d5b9a92d1a6

SHA512
a87e0e3fb58a9e9dc8051e4938db4b5454cfabe76b37d6579877cd2c68cb6db957615a3247c382a7d0217919d335686a2fe1ee2505b0fdfadf6eaf6b112d8de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoS.exe

Filesize
189KB

MD5
c0d0e99598d5cb75458c1a17f8ed69dd

SHA1
a5433556ea258de07884aab8ee30433b10163440

SHA256
020ac67794b08f657726053a76a2ca938913428f8d1078b06eea785dac5cb410

SHA512
2e9cf84ed4538f31e8e43eaa5aa967ee3d7fdb4c85ab3a506808f077857cee74d095ac1c4361e9563249969b324b9da403f150b232b5d6e82d506a0708066dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hWEEcIAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgkQ.exe

Filesize
203KB

MD5
c4ce7633b88f44b6311189c023bb4725

SHA1
3bd3b1b19194d5049af4e57d67e528f0c9b7315a

SHA256
1c6f9239ef8e01a05a358a12ac3fd3e6daa51d4a97ce9a2ea30aa220f28bddd9

SHA512
846d30ec7add61181071d2f7e87792243c2dd0a20075a573100a17dad1814516fcc792494ff008e826868dc3087a5cdb01273011ac352aa74f514bbc7bc58e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMu.exe

Filesize
190KB

MD5
f1bb231b78f2309778ec4395e834742f

SHA1
ca3c86b59285055c57e133993d2f8f429a22b3d6

SHA256
872502bb5c1c934a9085a825471c42638ce077f1256011bae77ea96982e66461

SHA512
7d90ab602502125b3a91f1ff63bb7cad4c7381bac08f72d085751bc51bb0499a2ce2658d82ac2ada2eeb919fa2e49a1018b3e6fd422339603562e38d41c41eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcE.exe

Filesize
217KB

MD5
212496aab98f919e0638c358718061e0

SHA1
21cf7db847414f8bb05fd9d1ccce62f122b010c9

SHA256
1388f9ac6bb0bd4ed76df7ed90bc2b32f18f4f18e7f989cedf293bc0d79de71e

SHA512
c2d324e3db8afb4b89a77bcc2f2a236592671ba79ea6340aa6fe36be9b274df850958cf54e20af1f67bc5a660d0dfd62c244cc98336f87a79102cd3ba3588a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYck.exe

Filesize
814KB

MD5
3c97dd58dd9dc38307e9ccf3b78372ee

SHA1
1da2810493498cac73dc40d97407741d88f4fc78

SHA256
caf12ca7a0fecf9939cad4606f437d30f259ceaf0e9df092bb6634200cdbcc8a

SHA512
4bfb66ca97783dd1be0c5ca385bb3c34b8388f328283f1f55023cfcdc0d60ecb809b2ba1541e84f8c92980eb2798ffc057b9ff65a3e7bb3dee9552e92eb1457f

Download Submit
C:\Users\Admin\AppData\Local\Temp\juUYQcsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEi.exe

Filesize
657KB

MD5
762cbb6c7d2cea2cc6ec025358cebfb6

SHA1
aa57b4db0b4de4134adcf75e4ef9ddffa308de51

SHA256
89e73ff398c090af390200f41164f755f197d859bd8be822e02bb2614a8c9bd3

SHA512
d66d9e237a12e2fe304532fe9a8d5b19f8f9e51ad97080ee289befce107941001119bc178eeefc6864e4247e7e888be7bf2cc382ca02b24a7f1b8a55b6e9f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEi.exe

Filesize
219KB

MD5
04321714ad2edb847322e28a38b8a1e4

SHA1
9f26649d793326188974a2e111326aa64cf5c0fa

SHA256
a7fdc764458015b268757be74cdc3c3149bba688c30a800584a409bf57bb385b

SHA512
a5e15619ed3556cff6a50a39def66ede73168ee7077cca8f85d2e2ce6e7461f20422fab6981700070589fd8b6a4e545ee3a17772db923801c48802ab675868cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMUI.exe

Filesize
523KB

MD5
ab6c49e4383eb3f63bf6aa866f6b185e

SHA1
e697b883b12419918812a82f04bc5cc5a75f2b87

SHA256
2377ce5a063ef027f07e5c6755584f94daf0094d0165eecf8e0bb4432e16c320

SHA512
37b0125259582fe696f7b70056882353f62eb30f31876e3974e5dda99b84dd2468b225ecb071e237d306063a873f6507a474ac7c9ac2f2941f20743c2a8737c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEgS.exe

Filesize
188KB

MD5
a021365d0fe392cbf9e225232a0b4ad6

SHA1
dfd5ae62110e5d250e172d8601524bb03e611d1e

SHA256
78b388c3b6087bbced92f6c0a79db847a40995cc1bdfef91d5102063cc57cd43

SHA512
c4ea616b53c8a4e37d45956fd604b4085f2aec9f6aeea2a38a97388770cb627ad56e0b153291006fdad82e312a49d27086f871865b00687408e5f037ecd902a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYe.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssu.exe

Filesize
256KB

MD5
c65661e235bd3636272c367906aa7b6f

SHA1
8cf602ed4e4a6f6691d9b42b7907481dc07cb7ee

SHA256
135d7ac03c8705682d95c3e624a77542e7400e0f42ce91e9f61234f45b8a3a4c

SHA512
43072f655c5229c4b91d6dd640a336e1f4ae21ccbbe9e903a686322b881353aff5452a50a9dc2e75e03e434be723488678d6e52a9f83940d96d83fedef3c9987

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIYg.exe

Filesize
193KB

MD5
756771850b4bca1c01bcc9e390ee4b6b

SHA1
04ece01afc02326ea0f6aad585913ee11e2ddf07

SHA256
0319a5127158ada4170d0bb38dce567d0c3afe07f75e9495149311ccf19c1c3a

SHA512
8e4e5e6923dcab0dc7c3c3e037f4471cd12e437f676d08271af087ea42369efa459dd81ecfd455e678f0feef410e0fbd9d17700cbbb814d67ee8477229e73ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncEI.exe

Filesize
312KB

MD5
d63740934b99c5725d02b6d77268ece1

SHA1
7f07a8d00038afee941a630494117582ac3af5f9

SHA256
78e09a4f42b436b2182aefe0f31756ce2e47db5e93f3c6ea3592fcd082a19cd8

SHA512
59e803c930be23cd6a937d1b67404614af05ce6b1c8c597b99398883cd2c9c9e5177c5f169e85c1f3e14c21fd111379e82ea970bb2fc82e0aab7656f2edb1433

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIoW.exe

Filesize
207KB

MD5
97ea263edd2bb07539e505429069aa7c

SHA1
5d522d0ddef033b8a39423bcd8fd973f726f8ee6

SHA256
a4c5baf5be1f8111680c7440b204c741e41bee54589e56532d81b1eec68f60ca

SHA512
0c9211fe57e1e0add171b9b210dc3c8518711c5fdbf52157c15d5df75e60dcb2afd302e32c0b2c10a6157422392d86499d66c62a56b5478728b4b5ca684abb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\oskG.exe

Filesize
224KB

MD5
b61fc1706903cfdb4537ef2abdadbe7c

SHA1
f0d180c930fdce98296262ac1de641c3f8a1f9c2

SHA256
b7a191c1ec1fa11468cd323365f2194dd21e90b2f1f9888b38b31b57cd3eb179

SHA512
4041b6daa349138fa1b9120bc225c809f88dc8d5666f05f47f5a5f5176845fff356c043bd0b44bd6b03399dbb5d593da4b7376234e9b2bb6b338e0f555ea6b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkUA.exe

Filesize
193KB

MD5
47707c31c1d1b6864c47fed14e9bb89f

SHA1
8bf4b9ec305d78c3a300a9fe74c5c854bb1b6db3

SHA256
78a3065e8435ecf92411d039bfe1cda4567562bda4b0be2358b0ed75b29727a1

SHA512
b32b3f9a9b1e8a15910f035eaab1990e15c2bf2dc2da69d4300efd1aeb7ffdbef22fc8508b89e741c9a3abf9d27cd43b0b9cee58d8e496b6981fcff84c2f9492

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCoUowAw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgQW.exe

Filesize
201KB

MD5
6c7d1fd5f374bedf252dc89dc2aa3050

SHA1
ae2bbd41b07304dfc20ff57ef91d0a710a364b93

SHA256
0c28e44b5d42736da4ede8b1cef852ca400403752380afcb0e0f20a5ed82d1f7

SHA512
a92c6f2fd8d7aa65b833e8355edd810da11f39f28f1b653af79cec4b2e00340264ed119b0202a3aaadcd65a44bd34761b6254d71641869fc6422019e5c06a02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rooU.exe

Filesize
790KB

MD5
272c3e07f614e7ed27c81f447259e06c

SHA1
306b76e36a9f00c2304ee5658d6742704a5828b5

SHA256
94d7ed0b6f4b3f9e268204ffd59d8ceecfda49b342a556818f397da6d57f411d

SHA512
c74cf30322260e9eb612646f2c02b2d2ae267cb83d4b008b8a24ed163a2087b8132840723db43e583ad627c571f40f63b3d0b196d1ab556f90159c281a7566f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEQw.exe

Filesize
192KB

MD5
20d83f3905ab4c39c5758405bd646d86

SHA1
99be32765232c7db9660feb1b0ec646b2dbaee90

SHA256
71d1d451d8306b2cfee2ef8a3c57493e3c38850b73a4b96110b5443302dabd76

SHA512
eb1e889a72b4f0da688f351daf535de4c6f2469f41f5cdfa13d63f471a2a5952defa6e08e106b700b30fcd0a8a32b9a42f9e2405733ff0fd8eca54b19d680c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukIY.exe

Filesize
400KB

MD5
ccd7b361452fe68baf8e44a32e00ce16

SHA1
84df5086f29ad3c375ed47cf4c7bb84f9e03d54d

SHA256
f4eeac348e1c0077d42d33d380b57f3c91937f6e3853770e2a1dce8a0c32d868

SHA512
9ed680cefd213729198dddb371ce74f38bb2df8043a7f7868cf14f588641cabc69412e6dad70f3d39b942d76113d1986ed8a7199dd28f307410be9a5a518f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMgs.exe

Filesize
204KB

MD5
3b40aa75cf3aca63e35cb7fbdf9630a1

SHA1
825dac91f239d48087334bda4685e9fed3b6e1df

SHA256
1838e6c2001854b2a6137320a6c171001007648c38ae9053796784bc048c8678

SHA512
c05f23acf2afaac744899b8036d20edd0b9c9b09fd91ac9f9684f942c6695b57728c986666c23aa8130d71a6d8355c1a9c8c874f87207b8478a962056f19a8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcgMsYsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMYkcUEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\LMkgcYkI\JWwsYQIs.exe

Filesize
192KB

MD5
fd36bcf5c6b986ec3a373dba9bee043b

SHA1
b0c2092382c4a2876e25edb550c0df967273ca7f

SHA256
f7ff9b0915a1516e495842385d9042803b252eec5f2703e5baa0e4c1161b547d

SHA512
1ed5bef4774ab94436e1d0372b628075bd88ab2e47f7e38eea0ae5b1e1456d1dd970e1abafc4200adca5c032d6341321c509ee4a7fd5c6384d7724cb03a16bf6

Download Submit
C:\Users\Admin\LMkgcYkI\JWwsYQIs.exe

Filesize
192KB

MD5
fd36bcf5c6b986ec3a373dba9bee043b

SHA1
b0c2092382c4a2876e25edb550c0df967273ca7f

SHA256
f7ff9b0915a1516e495842385d9042803b252eec5f2703e5baa0e4c1161b547d

SHA512
1ed5bef4774ab94436e1d0372b628075bd88ab2e47f7e38eea0ae5b1e1456d1dd970e1abafc4200adca5c032d6341321c509ee4a7fd5c6384d7724cb03a16bf6

Download Submit
C:\Users\Admin\LMkgcYkI\JWwsYQIs.inf

Filesize
4B

MD5
d6444b83c84d2ac95da86a40758e820c

SHA1
1c918b36852f685dd43cf30f15ac74a515f04f7a

SHA256
d10ff1121d5f25fe19ffd37e008aed955efc64ffb271d993059863c92d722096

SHA512
864c98216392cc23882fc0615830650b2a88088c40aa1ac1b8181ed40ba1643364b2b0984bdd617bdc6aaa986b97e4053e8349829a73c94b775d04abd59b0d1f

Download Submit
C:\Users\Admin\LMkgcYkI\JWwsYQIs.inf

Filesize
4B

MD5
35bc97294d3b938d5f6522b3724add49

SHA1
9c11d5c02c316fb975538eff1a6c9cbd1c0c2e0c

SHA256
59a05f254f9678b2295fde0b363decff8c53c0bcbb050978af2659416aed58a6

SHA512
390986b9f50c859246f5dec7a0191f1c045032be670ce5ff90817a4b8e4bb7ef6f0dff0a7d4f00072405e7f5ec62a64135f765355cbda4a9a65fc3147a1e31d0

Download Submit
C:\Users\Admin\LMkgcYkI\JWwsYQIs.inf

Filesize
4B

MD5
5e7f92cee924204f190943c47716dc13

SHA1
07898d6b62472a7f9629f334f3bb3df2587a2cb4

SHA256
6070400a8e6b9e0357bdaf9dd0e19a664f1be34562f0f2efe1fc1bef2b24cabe

SHA512
438a30098267118da5e466655404f416fb54b2bf1d29be75cc9991db48152f64d15ada041b86e720f7c4895a6ba22053c9c29c5a26b094700284dbaa097e6a2c

Download Submit
C:\Users\Admin\LMkgcYkI\JWwsYQIs.inf

Filesize
4B

MD5
8fa949fb1672b433a104baf18bceb8fa

SHA1
5b84ebeb35faa668b2de5281917a154fec713681

SHA256
6cc3a3709e4814e62eba26992748b325572e3aa509e07ad2689f7555ec11d5b1

SHA512
006048d42cacd9baac26578ba307b462961cf0c533e3999a394feddd69b528d15abd88d7e7212bc3b613d35c0aa27816e6db87f16d9f40b6dbeefd71244c57bd

Download Submit
C:\Users\Admin\LMkgcYkI\JWwsYQIs.inf

Filesize
4B

MD5
2528303311a189f5b4d54974ae90a56d

SHA1
5fbd2093e3402c26bf16fd2264f7df172438abb4

SHA256
e0654094ec89193bc692fffe8fddf70a2ca88d805d02df39c2fd6d0f18a1acae

SHA512
e2ecf2551d68f3afea300bfe88403b6f4dec6ce4c8da21e7d3c3ef10c7b3c7ce52de3d1e0d7be2edb56e42b957525cb0b414d7364f8772da1e1fc5eb21317c0a

Download Submit
memory/232-902-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-912-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-685-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-939-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-893-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1776-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-650-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-931-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-885-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-901-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-796-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-746-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-690-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-843-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-921-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-917-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download