f94a87a6b2201c05a4222db550ce2ea96991165ee8b3c25af7bfeb5a8bbd8d51

Analysis

max time kernel
151s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbeb8a1dc9c1cc99182866d178ecaea8.exe
Size

189KB
MD5

cbeb8a1dc9c1cc99182866d178ecaea8
SHA1

4fed98767f06ef15b165c4baa69ac9adfbcfc794
SHA256

f94a87a6b2201c05a4222db550ce2ea96991165ee8b3c25af7bfeb5a8bbd8d51
SHA512

0b46422897e1e0302fc29e3a7625fea0b929eefc4ca506616bc7456596e8520bfb047aaa73baf304991bddb6dfca6bf93673b5738555ad40e00f8ee6d60d80b5
SSDEEP

3072:TxoZBytUbHRMDHJA8rXlm+TjeVfsHSz26jk:FoZB+Uj8X4+6sHSi6jk

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	lockoQMo.exe

Executes dropped EXE 3 IoCs

pid	Process
4368	BiskQYsU.exe
1268	lockoQMo.exe
4288	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lockoQMo.exe = "C:\\ProgramData\\PywIIEEw\\lockoQMo.exe"	lockoQMo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BiskQYsU.exe = "C:\\Users\\Admin\\SoYIMcwk\\BiskQYsU.exe"	BiskQYsU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hSMowkUM.exe = "C:\\Users\\Admin\\PyAwYsUs\\hSMowkUM.exe"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fIkEscUE.exe = "C:\\ProgramData\\DmIEAcUc\\fIkEscUE.exe"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hSMowkUM.exe = "C:\\Users\\Admin\\PyAwYsUs\\hSMowkUM.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fIkEscUE.exe = "C:\\ProgramData\\DmIEAcUc\\fIkEscUE.exe"	Conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BiskQYsU.exe = "C:\\Users\\Admin\\SoYIMcwk\\BiskQYsU.exe"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lockoQMo.exe = "C:\\ProgramData\\PywIIEEw\\lockoQMo.exe"	cbeb8a1dc9c1cc99182866d178ecaea8.exe

Checks whether UAC is enabled 1 TTPs 42 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	lockoQMo.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	lockoQMo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4344	336	WerFault.exe	147
4624	2244	WerFault.exe	146
3344	2384	WerFault.exe	1179
1724	4288	WerFault.exe	1182

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5036	reg.exe
2300	reg.exe
4384	reg.exe
960	reg.exe
2748	reg.exe
1032	reg.exe
2244	reg.exe
4208	reg.exe
5096	reg.exe
2496	reg.exe
60	reg.exe
4948	reg.exe
5116	reg.exe
1448	reg.exe
1784	reg.exe
5016	reg.exe
4892	reg.exe
4724	reg.exe
3004	reg.exe
4416	reg.exe
1512	reg.exe
4552	reg.exe
3844	reg.exe
336	reg.exe
4304	reg.exe
4148	reg.exe
4192	reg.exe
1508	reg.exe
1428	reg.exe
4168	reg.exe
4280	reg.exe
4148	reg.exe
4148	reg.exe
4944	Process not Found
3920	reg.exe
2232	reg.exe
4448	reg.exe
2700	reg.exe
4688	reg.exe
4376	reg.exe
404	reg.exe
4596	reg.exe
3188	reg.exe
3312	reg.exe
4148	reg.exe
3440	reg.exe
1292	reg.exe
3928	reg.exe
3688	reg.exe
4580	reg.exe
4436	reg.exe
3776	reg.exe
4468	Process not Found
1068	Process not Found
4180	reg.exe
3780	reg.exe
4020	reg.exe
2660	reg.exe
616	reg.exe
1656	reg.exe
1764	reg.exe
1488	reg.exe
4704	reg.exe
3720	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3696	reg.exe
3696	reg.exe
3696	reg.exe
3696	reg.exe
3144	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3144	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3144	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3144	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4308	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4308	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4308	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4308	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3248	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3248	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3248	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3248	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3376	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3376	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3376	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3376	cbeb8a1dc9c1cc99182866d178ecaea8.exe
1508	reg.exe
1508	reg.exe
1508	reg.exe
1508	reg.exe
4180	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4180	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4180	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4180	cbeb8a1dc9c1cc99182866d178ecaea8.exe
2136	cbeb8a1dc9c1cc99182866d178ecaea8.exe
2136	cbeb8a1dc9c1cc99182866d178ecaea8.exe
2136	cbeb8a1dc9c1cc99182866d178ecaea8.exe
2136	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4128	Conhost.exe
4128	Conhost.exe
4128	Conhost.exe
4128	Conhost.exe
4980	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4980	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4980	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4980	cbeb8a1dc9c1cc99182866d178ecaea8.exe
3908	Conhost.exe
3908	Conhost.exe
3908	Conhost.exe
3908	Conhost.exe
4896	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4896	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4896	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4896	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4020	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4020	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4020	cbeb8a1dc9c1cc99182866d178ecaea8.exe
4020	cbeb8a1dc9c1cc99182866d178ecaea8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	lockoQMo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe
1268	lockoQMo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 4368	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	84
PID 4152 wrote to memory of 4368	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	84
PID 4152 wrote to memory of 4368	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	84
PID 4152 wrote to memory of 1268	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	85
PID 4152 wrote to memory of 1268	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	85
PID 4152 wrote to memory of 1268	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	85
PID 4152 wrote to memory of 1704	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	86
PID 4152 wrote to memory of 1704	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	86
PID 4152 wrote to memory of 1704	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	86
PID 4152 wrote to memory of 1412	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	88
PID 4152 wrote to memory of 1412	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	88
PID 4152 wrote to memory of 1412	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	88
PID 4152 wrote to memory of 1764	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	94
PID 4152 wrote to memory of 1764	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	94
PID 4152 wrote to memory of 1764	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	94
PID 4152 wrote to memory of 1784	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	90
PID 4152 wrote to memory of 1784	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	90
PID 4152 wrote to memory of 1784	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	90
PID 4152 wrote to memory of 2436	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	89
PID 4152 wrote to memory of 2436	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	89
PID 4152 wrote to memory of 2436	4152	cbeb8a1dc9c1cc99182866d178ecaea8.exe	89
PID 1704 wrote to memory of 1448	1704	cmd.exe	96
PID 1704 wrote to memory of 1448	1704	cmd.exe	96
PID 1704 wrote to memory of 1448	1704	cmd.exe	96
PID 1448 wrote to memory of 2120	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	97
PID 1448 wrote to memory of 2120	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	97
PID 1448 wrote to memory of 2120	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	97
PID 2436 wrote to memory of 4644	2436	cmd.exe	98
PID 2436 wrote to memory of 4644	2436	cmd.exe	98
PID 2436 wrote to memory of 4644	2436	cmd.exe	98
PID 1448 wrote to memory of 4168	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	107
PID 1448 wrote to memory of 4168	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	107
PID 1448 wrote to memory of 4168	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	107
PID 1448 wrote to memory of 2132	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	106
PID 1448 wrote to memory of 2132	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	106
PID 1448 wrote to memory of 2132	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	106
PID 1448 wrote to memory of 1060	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	101
PID 1448 wrote to memory of 1060	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	101
PID 1448 wrote to memory of 1060	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	101
PID 1448 wrote to memory of 3892	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	100
PID 1448 wrote to memory of 3892	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	100
PID 1448 wrote to memory of 3892	1448	cbeb8a1dc9c1cc99182866d178ecaea8.exe	100
PID 2120 wrote to memory of 1504	2120	cmd.exe	109
PID 2120 wrote to memory of 1504	2120	cmd.exe	109
PID 2120 wrote to memory of 1504	2120	cmd.exe	109
PID 3892 wrote to memory of 3268	3892	cmd.exe	108
PID 3892 wrote to memory of 3268	3892	cmd.exe	108
PID 3892 wrote to memory of 3268	3892	cmd.exe	108
PID 1504 wrote to memory of 4812	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	110
PID 1504 wrote to memory of 4812	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	110
PID 1504 wrote to memory of 4812	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	110
PID 1504 wrote to memory of 5048	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	112
PID 1504 wrote to memory of 5048	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	112
PID 1504 wrote to memory of 5048	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	112
PID 1504 wrote to memory of 3816	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	120
PID 1504 wrote to memory of 3816	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	120
PID 1504 wrote to memory of 3816	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	120
PID 1504 wrote to memory of 4724	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	119
PID 1504 wrote to memory of 4724	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	119
PID 1504 wrote to memory of 4724	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	119
PID 1504 wrote to memory of 4456	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	118
PID 1504 wrote to memory of 4456	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	118
PID 1504 wrote to memory of 4456	1504	cbeb8a1dc9c1cc99182866d178ecaea8.exe	118
PID 4812 wrote to memory of 3696	4812	cmd.exe	114

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbeb8a1dc9c1cc99182866d178ecaea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
"C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\SoYIMcwk\BiskQYsU.exe
  "C:\Users\Admin\SoYIMcwk\BiskQYsU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4368
- C:\ProgramData\PywIIEEw\lockoQMo.exe
  "C:\ProgramData\PywIIEEw\lockoQMo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
    C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        7⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        8⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        10⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        11⤵
        Adds Run key to start application
        
        PID:2660
        
        C:\Users\Admin\PyAwYsUs\hSMowkUM.exe
        
        "C:\Users\Admin\PyAwYsUs\hSMowkUM.exe"
        12⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 224
        13⤵
        Program crash
        
        PID:4624
        
        C:\ProgramData\DmIEAcUc\fIkEscUE.exe
        
        "C:\ProgramData\DmIEAcUc\fIkEscUE.exe"
        12⤵
        
        PID:336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 224
        13⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        12⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        14⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        16⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        18⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        19⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        20⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        22⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        24⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        25⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        26⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        28⤵
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        29⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        30⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        32⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        34⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        35⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        36⤵
        
        PID:336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        37⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        38⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        39⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        40⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        41⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        42⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        43⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        44⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        45⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        46⤵
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        47⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        48⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        49⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        50⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        51⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        52⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        53⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        54⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        55⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        56⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        57⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        58⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        59⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        60⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        61⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        62⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        63⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        64⤵
        
        PID:3380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        65⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        66⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        67⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        68⤵
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        69⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        70⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        71⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        72⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        73⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        74⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        75⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        76⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        77⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        78⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        79⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        80⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        81⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        82⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        83⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        84⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        85⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        86⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        87⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        88⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        89⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        90⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        91⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        92⤵
        
        PID:656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        93⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        94⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        95⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        96⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        97⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        98⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        99⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        100⤵
        
        PID:2156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        101⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        102⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        103⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        104⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        105⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        106⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        107⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        108⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        109⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        110⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        111⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        112⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        113⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        114⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        115⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        116⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        117⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        118⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        119⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        120⤵
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        121⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        122⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        123⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        124⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        125⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        126⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        127⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        128⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        129⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        130⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        131⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        132⤵
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        UAC bypass
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        133⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        134⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        135⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        136⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        137⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        139⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        140⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        141⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        142⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        143⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        144⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        145⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        146⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        147⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        148⤵
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        149⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        150⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        151⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        152⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        153⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        154⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        155⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        156⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        157⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        158⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        159⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        160⤵
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        161⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        162⤵
        
        PID:1172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        163⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        164⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        165⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        166⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        167⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        168⤵
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        169⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        170⤵
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        171⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        172⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        173⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        174⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        175⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        176⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        177⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        178⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        179⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        180⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        181⤵
        
        PID:2660
        
        C:\Users\Admin\PyAwYsUs\hSMowkUM.exe
        
        "C:\Users\Admin\PyAwYsUs\hSMowkUM.exe"
        182⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 188
        183⤵
        Program crash
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        182⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        183⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        184⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        185⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        186⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        187⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        188⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        189⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        190⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        191⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        192⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        193⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        194⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        195⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        196⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        197⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        198⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        199⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        200⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        201⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        202⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        203⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        204⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        205⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        206⤵
        
        PID:2436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        207⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        208⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        209⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        210⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        211⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        212⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        213⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        214⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        215⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        216⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        217⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        218⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        219⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        220⤵
        
        PID:3616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        Modifies visibility of file extensions in Explorer
        Adds Run key to start application
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        221⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        222⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        223⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        224⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        225⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        226⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        227⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        228⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        229⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        230⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        231⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        232⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        233⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        234⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        235⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        236⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        237⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        238⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        239⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        240⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        241⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        242⤵
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        243⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        244⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        245⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        246⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        247⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8"
        248⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8
        249⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DScsAoYA.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        248⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgMAckww.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        246⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEEgIgkY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        244⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcoQwQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        242⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies registry key
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUosYIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        240⤵
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECgAMIoY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        238⤵
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsAgcYMc.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        236⤵
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUEswoYM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        234⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEkEwIso.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        232⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkggQIMc.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        230⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkggEwoA.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        228⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIsIwkMg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        226⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        UAC bypass
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggAUYgMc.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        224⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        UAC bypass
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUMIAAQM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        222⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQEYEksA.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        220⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meQgMwQc.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        218⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiUAEUEU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        216⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWUkQswU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        214⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKYwMAEI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        212⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CywYYsQM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        210⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        UAC bypass
        Modifies registry key
        
        PID:960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIwoQcss.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        208⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acgwcYAw.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        206⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcUcoogA.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        204⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOMYEgEA.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        202⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyoYIYoM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        200⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIUEsIEc.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        198⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkEAQAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        196⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgMIIgIg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        194⤵
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nykwsUMg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        192⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        Modifies registry key
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqwcgQAE.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        190⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIEgAwkg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        188⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIIIAccg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        186⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqYQwMwI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        184⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2772
        
        C:\ProgramData\DmIEAcUc\fIkEscUE.exe
        
        "C:\ProgramData\DmIEAcUc\fIkEscUE.exe"
        182⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 188
        183⤵
        Program crash
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmUoAcks.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        182⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKYUIkMY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        180⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqYUMQIw.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        178⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwEcAowo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        176⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWUMwQUo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        174⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmgIQcQM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        172⤵
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcokwskI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        170⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkkAQAMo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        168⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGcckUEE.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        166⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOYEgMcs.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        164⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        UAC bypass
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byIMAkwU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        162⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rasQYwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        160⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiMkYIcg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        158⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmocwIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        156⤵
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeoMkQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        154⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies registry key
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWEgQYYw.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        152⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diEMAkIE.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        150⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgMIwwkY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        148⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgYQwQYI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        146⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuMkQMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        144⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okIsYsck.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        142⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgokMQQo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        140⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKQcQIsM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        138⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USYAoMYc.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        136⤵
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        UAC bypass
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUMgQocE.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkgYookk.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        132⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSgEQIMg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOkwsAYg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        128⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyAEssws.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        126⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emMgwMoo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        124⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIcUMIcE.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        122⤵
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUsYUgYo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        120⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYkwYcAg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        118⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akYwwAwI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        116⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AggkcYEY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        114⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        UAC bypass
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiIwkMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        112⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOQkEMsA.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        110⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyMgIUYo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        108⤵
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGEQYsMs.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        106⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEowwswU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        104⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGYcUQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        102⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUgQkQoY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        100⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiwQAoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        98⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMMIwsAw.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        96⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkoEwEAk.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        94⤵
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKkAQwAs.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        92⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQAsQQQk.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        90⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoUAscgI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        88⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeocMMAM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        86⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOMYwsgE.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        84⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImEIooYs.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        82⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQYEAUsI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        80⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\booEUQwM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        78⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwMEoIso.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        76⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beUAMMsY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        74⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqQEgQUo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        72⤵
        
        PID:4016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWIwoIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        70⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEUYAooo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        68⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIQgwock.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        66⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmoQUgEI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        64⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmUEkIgM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        62⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMYAgAAs.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        60⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSgIEYgg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        58⤵
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        UAC bypass
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwMcUcoY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        56⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCwcwUIU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        54⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwIQUQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        52⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeEMIgYo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        50⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAgMoEgk.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        48⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYscIAMo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        46⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\necMYMwM.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        44⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmYogsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        42⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQEwooAY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        40⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAMoMgQU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        38⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmUcgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        36⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWMMksgY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        34⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmUgUAsg.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        32⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOQcMEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        30⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emIsIIoU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        28⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggEQMYMU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        26⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaksQkkY.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        24⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQQYkkMU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        22⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAUcQIcw.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        20⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOgQgcUk.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        18⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        UAC bypass
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkwkAAow.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        16⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGwwwIoU.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        14⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmEUgAoo.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        12⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEksEYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        10⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIAIIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4968
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKgAwkow.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
        6⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2168
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4724
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmsQcMoA.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmgYUwkI.bat" "C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4644
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1784
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2244 -ip 2244
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 336 -ip 336
1⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3704

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv tPL5rhGh40CckE6LP6ON8A.0.2
1⤵
PID:2860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2384 -ip 2384
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4288 -ip 4288
1⤵
PID:2008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

Filesize
391KB

MD5
b074a1a506beb551fe47d3049f01d472

SHA1
f390a7d0e8f47ee3c2ea779f419b277e2101caff

SHA256
f9fddd560f48ddd2c6e7549dbd6966b21bb1f78b254b40ed1ab756d948d69980

SHA512
0c4a8ec412a38862e13ee2691e282f6e0cf6abb214dba7a9a7e32e975c8f913afa0e8c5909dfa8124633fda1956330adc082372a2f3a3330118558aeef9fcf8e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
781KB

MD5
b9701991718e82c86d78e67354286863

SHA1
5aa69b98a3b47ab693645932cc50f2882195d284

SHA256
f4acfca60bb104f07d1ad048cce2feac4160e2d765250eac2b9d2acc84860ae0

SHA512
7934dccd777053b92081e5606b1cf821668b385dc4e5d660fe29fa1ed8a3076ded5f100e555bdca95ef17f35964c5a0955e1241e37badd1aca43afd7771c29fa

Download Submit
C:\ProgramData\PywIIEEw\lockoQMo.exe

Filesize
188KB

MD5
1a9c14af192c614d7d74e663a5f71b62

SHA1
53f4788804a6033b45dd9612af78d8494698a44b

SHA256
20c3e8bdb24294396319cac74bdb7e546666d3a24eaa8d33c6813210a4070100

SHA512
65505242a95a467c4167fac9271b31c7c0470e1d9845700d6ca0dd3e987ad30a16f3f29dd26503fd52edf532028814c1b54054cb84e121ba2974a3589c027884

Download Submit
C:\ProgramData\PywIIEEw\lockoQMo.exe

Filesize
188KB

MD5
1a9c14af192c614d7d74e663a5f71b62

SHA1
53f4788804a6033b45dd9612af78d8494698a44b

SHA256
20c3e8bdb24294396319cac74bdb7e546666d3a24eaa8d33c6813210a4070100

SHA512
65505242a95a467c4167fac9271b31c7c0470e1d9845700d6ca0dd3e987ad30a16f3f29dd26503fd52edf532028814c1b54054cb84e121ba2974a3589c027884

Download Submit
C:\ProgramData\PywIIEEw\lockoQMo.inf

Filesize
4B

MD5
549d1f97a5f64c5b4d51d0a71067b9e7

SHA1
132f2790b0d5aa939028073f640d097d902ef773

SHA256
baf40049866ffbbd72c5509beca3c9e08ef275b67f8d6839441a9c1b8e3593c4

SHA512
eca12046dcc493135a4647e7a013e62cec3fa290265d14f44cf62231fdd80e61458e46f6e71ff25b44229d20426cb6c24171ae26f4c5110a94cdf4a9bd65cd8b

Download Submit
C:\ProgramData\PywIIEEw\lockoQMo.inf

Filesize
4B

MD5
7914099061b29f29f07f174263fbb037

SHA1
1a58a80d8a270805986577bbf2cf3923c396bb54

SHA256
1255425aad09c379a96926931cc19c4893c63cd2af9be13d50a25b212c43fd3c

SHA512
57b815dbdc73345d17a9567ddd4fc5bd54b03f7cdf823d6ba024df43ca49ff1d6e95862b563f4654a426e708e767a0c1c44f30b6e853558678a1d44369057bf1

Download Submit
C:\ProgramData\PywIIEEw\lockoQMo.inf

Filesize
4B

MD5
f00bd57fd7bf1db1d458b6fc7b3e98ad

SHA1
9a7960258c7bfb91af9de35df2e95ef5da5e613b

SHA256
8146bd822ce81e4d53b56fd9caaf01f234e3088ad045795e60f5e41ed2d07ef6

SHA512
69f74b774f66943374c712379121a6c17b9a0e14c183692030e60fc8ce7c8bea7b159a84e5abeb91a41ddb0f00c98a89e26c55859302f9207f4f4267dd1d9a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
195KB

MD5
714e8983b04521521ea3d7a0e41f11e9

SHA1
2ee8049a50f5c1662ad5da4369667794d41465c0

SHA256
a9f7a36aae702ce94dcdd193dd9880ec2de19b7dd883f324bdf56d022e287031

SHA512
b58dc5b4245474ed6848369083cacd73a567da6d2215346b8e1e9af695051f25929627bc4e15aea17fb3e698a14a929cb9874d9ebb6adc5d5666aabcd2cbfdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
203KB

MD5
bc262ea1a443aca9267b9d222b3a0ef3

SHA1
42b16b3c05351b8ad910ea2caaff58de80c7cdad

SHA256
b575a2e360065236bdc17897558d8e59ce2f33d07e4541820ab3d5bc1c3e1b0c

SHA512
63846c255e38f36b569231e7d0ec48c16f4b4b2f18b7c0f32b55d4f4e9bcbbb34fecdd3504f2c0d77eeaf5322e9413f5ee3ed2a0e044f92302b32a2c78aefdf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
194KB

MD5
111734c79fb7058dbfdfdc67fee3064f

SHA1
59fc530a5990a9f622c11f20c81b62350a4ba1ad

SHA256
514f7837bc18e22558e9c25577fdf6bbbc003808fb76a26d7b3edc9e40f9f318

SHA512
619aa6ec9faad59e991b460ef4258c41e920eef811a439f35c60857b1a321f284f39dbf607af4169823a563bdeefe50b1c03d859b57d5e77de2533259585fce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
189KB

MD5
736dac1c049693a317086b5477094380

SHA1
cf4c57e0a8a0d010846b659b522461a8b1174f24

SHA256
fdfe63a19f8576daee336450052fb7ce83fb6aafdab7fcf55d55045250a5e6e0

SHA512
682bf9303fee756f4c9f684dbf1a1e6368c351f00059b9042f007aa922f3cda4c4f7350df39f3f0910194ba50ea253e1cce4b6e0a3f6a81af0b2a338b8d1bcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEYg.exe

Filesize
214KB

MD5
a429208bbb077f8e8bb0dbc0b5b232ad

SHA1
a5f693fe5e922bde41a744324d7246d7e1f2c47f

SHA256
82c3f8ff850349739c447b05bdc41631a3693721a67202c15b369ad81d9eddbb

SHA512
716c471f62a732e7e75881aa69bfee173e3b2a416cbcf0809a30f42a9a245856d239f40f990a049782c42313f89e3dc0062114979a8e3a52fc7e00bd091177c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIc.exe

Filesize
1.8MB

MD5
a2fd52839e40578b9e5cef8c79debdbd

SHA1
da3b64c58689d9fc6dbad832dfdd84b3a02a8bc7

SHA256
184312e36a64a4bde7bd093ed667cede599892495bd6b26e2f2528e707a8696e

SHA512
b94ec516383e5c4401c3515c02be2f6dcd450be3e90844e45b4c0b4293ae4fd2cc4dc7f9c9f417344a48bdcc8873c5c9d2033c47471872c2315bd8a42ee7929f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AswY.exe

Filesize
204KB

MD5
2fa922709b623939ed870f311d6647e7

SHA1
02c4ce2f4c4f6719c3b1b7fbd570988d47d7ab5d

SHA256
469be33f64107851ca31b58170d8073c6a0306702b214921e1ded10323502262

SHA512
5f2b3614bfa3367a8cd4b360482d76d811d870718e85716936e65a83b1006b5ef48167b371b8afaf38c71a793e707ecd6800e1a6ba60e2a320f03c7843fdc4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMoi.exe

Filesize
234KB

MD5
455a88e6f370831638e032d1082b591d

SHA1
41cfc6608cbfa3c2ca9db809f896346d396fc065

SHA256
93d9175ba9f67c003ab2d8fb54726f9f2f58e05e0b48ef211874c9f2eefa70ce

SHA512
aac668fdc6a39a8f00b89a54eff108b33c6c573ab00622f245208dabe49cb0317c7c5caa978cfbec20599dadcab470291cf9b68dece7f3eee01f4943683d6abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGwwwIoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQou.exe

Filesize
243KB

MD5
20849824451e6462afccb66409d39a8b

SHA1
17d2037eda687d5a8a850ebe1f367211a7849376

SHA256
714287b634204645f259b7cbcba46c1d5720f46a04ba2735a518d1c5861ad28f

SHA512
27cf51cc66dd70e9a7da8dc6e3c5ed66bcf363c4798ed1f065572752358b8a06bb79c426e8136a2ba1047819a6566e1ce2c1f0790c312a82c7519ce440234bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\CmgYUwkI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEAU.exe

Filesize
233KB

MD5
ed38fec60a013fb38270b54d67c75f0e

SHA1
bd2938b38268f88cf96b6bebea0ce763d258a789

SHA256
9d22c3abe09187456f303fdafe09669091c88a6736992ad1424a05a65e76dab4

SHA512
da5e797336640340b3f56e2204912e16f821a043fabf2691f54bcaa13dc930d9d310b42f5fea62de67432a057c6bfe8aa603418f86e7cd5453463f91afcd76a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYMe.exe

Filesize
514KB

MD5
57356453bc644bdee7d88c23f36ecb57

SHA1
6038d44354acd4ed9d3148d5b1cfdc82736eef81

SHA256
fb2ef0a233ea179ce02b709c328fe5cf3032a99c4bc6e519fd2e3301ca0c784f

SHA512
5a6b8cba0ed8355457143ea90b20c1a0e449a8e86b09a675592c182801b899b36998cf68fa3560b5835a31355a9c6fd1ff7bcbedd4c613f926a2f2be4f9269bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dgsk.exe

Filesize
185KB

MD5
4697afccd83faaabc539e95c60e9f6e0

SHA1
90b7159cc37ac859a03b88ebccd2da82a5c76a06

SHA256
ad67fdb46355f14bf22335edf450ece847161f2e89798b9cc9a018760ab085d8

SHA512
db6c58c91729032393dd17c0f677630c86fed08e6521985a81accb9df1e50ccc48d402a6ee38186e892ab0cd5c19f9286c9da692b379a373fbfd6185bd3fae0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMcc.exe

Filesize
201KB

MD5
3470721e679965759dc5f31c86082d46

SHA1
88ae8330e9e84487768c430dc177a004d66e7d35

SHA256
f28f7317333e125a5c62270938c8dfbd7c256bacd8657e14f2dd2180c51623b6

SHA512
5a8faafd3f5e1d2d7a3218ca2a2bfcbd2fd27102a719baff6f4ddc120671be3bc45fbb2d6ce021620f3641a7e85bc7c6cdfc61a693498ff32a359e0575707f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYIe.exe

Filesize
1.1MB

MD5
f91fb0f2b328ae46aecd2223f58b76de

SHA1
52a19629c3ec71e578932e54a14c6dd626fe872c

SHA256
0d05e9f601423309af7eba11a2badd1697fcbe9e43bc3c696fed05ef3654304b

SHA512
6945085f94c6a0b359920224c06981d35cc8a934cf09eb4064a038f1ae609e3bf9a42f0ae1d45e3a80599e150e7299fb18235ea3dea8b8185a8d345e0ecfc820

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYcG.exe

Filesize
645KB

MD5
ce5d664ba6b13f2e376086f247163ee4

SHA1
0066cf6d434e9825463077d954000a4081fdb440

SHA256
cbb0aa59bd7f324582abed9f60ed2d0c5d52d02c4ceb91c48c0d1caebc09f483

SHA512
3ad6817953c0682eb0586b78b089db22094b19a4484bc006b6383175db7c394d19ffa591cd5519c4a93bde95f9bc2bf6b6f99bae729589e01d5eb1a51de54cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcIs.exe

Filesize
190KB

MD5
715770381ee030860bee98073a39e71b

SHA1
401cf2346c1977684a6a25dac1659760050048d4

SHA256
f3c1a0b554da96449640315b1b672efbed9ce43e10e43a04f3a3e2937466eeaa

SHA512
8def86155a7d9c11046e6573891685a0b5bd749a328d518ee5cd803bf4d4756a9281065c00e800c484b893d64a9d14f6fc97565390aee72d231be7372ce36b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eckm.exe

Filesize
186KB

MD5
896545232f1b0b62ae38c4ab04447e21

SHA1
99c9292dc891589c8f13e65ece9f0f4a7d0aaa81

SHA256
df211a2d582495767e84abde3acdb27ec99053d6660704e9aa0e633ac5d0f5f9

SHA512
c5a1cff5441ae0575dde463c6e455edd0673aedac76e154725c4c7a34a52013b032fbdfa78f1f40ea604a1e8eac70ef753f334f79cebbdf4a7a7e634c28a8db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmUcgEEk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgUU.exe

Filesize
625KB

MD5
7a5fe2d5bd29868c11334b78b775f9f4

SHA1
376d226b2d7a50f7001f833dbcb13c888d633d6d

SHA256
a154e3eace943523b70c073e4a07bf4440926850ca69a1079cf7af136225da36

SHA512
1d2d44c0a4b8e1ebf68e941dad5d473b60a3619aa12044a8a169dba80010e32a09882235827c55cd825d0f9e8987c2af5c9d07f75814d5157acd096ce0db4949

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIo.exe

Filesize
189KB

MD5
e8ac0f0db4185dea8038459e937765e6

SHA1
823f5978bf45353c9e0f5fb6c94028fa1ebcf9b6

SHA256
9c8e99565c3ec702a76b879c82c403e5068237dcef2e646cdeefa8660d3f88df

SHA512
bc0e4b7c98d3c00db832137510062e299490b7ae64a49530fdbf90892dfa5b891a1aa3cf92ee568f56134d3e66d69281c71090a394023fd4a20e35d3ad4dceea

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQQO.exe

Filesize
189KB

MD5
015cea99cc158b2b14c1a47e7a419a8e

SHA1
1ec7af585eaf0ca0a51c8f711cafb0f07466a02f

SHA256
c9ee5d2ac29c6e04d391ea60e2b48b157b9b866d3fe1d1dc918d19d4d375502f

SHA512
7e01f428d4e70586a9bed06d42f47cd94a9e13cafc1ae1d8482b772dacce53c3cd86dbb79e5d38a1a4dbfac18734624a6533deddd6ce80d71044671ed1c35a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEAA.exe

Filesize
580KB

MD5
ec421de90bd7554c13801898d77ff6f1

SHA1
5ac5a782057864dd84b0ad7bf93261b7381a1c01

SHA256
2636c14cf9b1a8e57c57396e562ebe2c9dad7e8417d433555109f9183e614811

SHA512
f547161d4e8b8ce629b2de5de1c12682a86f7f6558557d3ce7a1ecb61651d1acdc02fba6519e487098ea701df5139a79d3b64e522ff73646549280914c94f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hcok.exe

Filesize
198KB

MD5
171b6685eaff6978af4ec0f5e9b2d575

SHA1
f827ff25499469c10f8921c69e3c9bf94dcf08e1

SHA256
ed024d15fa877c60023560001581fd7bc7d646345032f2175c9a30005fdcd8a9

SHA512
c1086a873095ac673b1e87a99b4d1724aa1f20b06e1e1df0d6412b68e18e2a6977b2fd74adee83b8d4e28c659179daccc4c4ca80d66a4a14f6d00d4116814933

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEQY.exe

Filesize
195KB

MD5
c006e15958ecea41f495de4825b5f9a8

SHA1
4c568837cf63261d58310d9b1ca5268c51a42bdb

SHA256
06b50e31f580a56ea23962c69738d06fb5b45c42afdb5b58d519e9c701743aa1

SHA512
f6d88af27236d3f2a8315210ae06a968a79b3a7bf967387a311cf432df15f453d0672b0467a3391485c70894685ffebc5c742d6d761fdf285fd18f43cf550af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsUy.exe

Filesize
327KB

MD5
bfdb0b0ec307a9324ed9989ad543d306

SHA1
fbbb7b64f93abe920296bae0f0de3aaa67409c09

SHA256
d3f60b74892b241083ddc7f17d3b512884ac61eaf394f545f549f87900b26fdb

SHA512
33971a4a73f9303d1cfe09a44bc25c9c37871a00a91d94645f21150e511317a2d5767ad385731d6bf9f921de127d7b81a7b05fbbb007c32f1887dbbf3a2e33a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIow.exe

Filesize
200KB

MD5
d82e53b7b5af40cf4336da7e51af7be7

SHA1
bdb1a784f34a6cd06c31e9dd3a87d90632b303e7

SHA256
53dea9ba577949b3ea83c68f31a1901605c78edd25d9c7a3575583acd6a2c39c

SHA512
c759ab108e6bba087c3edfd8f806a94f52aa1992705b474ee0b0e88b9d1116db648fa19ceabd6cc1bbc597b4df0a70612a7396a676afae6543744505dd6a2dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgcI.exe

Filesize
199KB

MD5
1d7e239f571d153bffb86b16888d5aa5

SHA1
d570990d8a2be0480fd4a1fa925d222474ce0fe1

SHA256
6105c58be0bd6154e87ff773bcd04fb6e1241740924108311af368f29132b045

SHA512
b6429365f77edc897bfc60120da76a21f654c44292e168a8338329e1b0c5646ccd51ee8502ec5273da89ac99a5fa38d7e81be822f3b559e636ce7e6024af848d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkgs.exe

Filesize
232KB

MD5
82163200a9a4b4779ba11ce8b57e3da2

SHA1
3d39e9097c32a48524ead8ed1179b2d326bed56f

SHA256
13bf55333760c3e02aee377119c97cd41030ebed383e7efccfb216b82f1a3c04

SHA512
85c59b92399b638a1c6724a631eb162059ce5a2645a565433c46977f5854506105073b151293b2fe5ed65305f2f45b98e28cd3350770ed88cc05ea640d0000ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmUgUAsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAMoMgQU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYAS.exe

Filesize
211KB

MD5
418a66bb81399a9400b45a4eccbcc5fe

SHA1
d6b03c1f46aec797e091612fb95a45e4377cd687

SHA256
2ff935860ea7492e7897c0437eb91c38a28627c2ab2b14ddbf9152b4813b821f

SHA512
c7a229c1ced4c2ff054f476c5b377aa65c9284c8ea9d04b88490d3ba40c59ccb774459269c6dfd9d8fbdf37e50329eecb4a5084b0f2b6e9f791521e2a3f555ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\LaksQkkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkYg.exe

Filesize
202KB

MD5
036f350b2a92658a3a2c8a6a0aec3a23

SHA1
5873de91f0978833ae5700908749d2277dd4aef7

SHA256
2c9d3f1bde077d63477454e14521534b017de2d4aeacbd8b956bd56f04ff01bc

SHA512
54bddff48d90d135d4b098174593cfb445dbfd886bda0428eb1570e9592ed4cacf1a56bb01896a8a64c7624dead422e997de0e80414834ece905baaa7452da1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoEC.exe

Filesize
189KB

MD5
9a93c148f5702527f8138e77c5b6754c

SHA1
e9b51aeea429a1c3c5bcfa347b598266e9eec56a

SHA256
1464938006e31c8d89054fdd385e1309c1b462430503571e2a1c11d8220a1fc2

SHA512
c4fe1e3613aca56621f5b2242b8130154d53b8c307abf6af1fe3c218e75e6862286c374662f61afe07eb94b66b676cec9dd43169feffd1e404924c4e4e4acb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoIC.exe

Filesize
420KB

MD5
761f89db1d5c114ca1337fb16e213e5e

SHA1
143c71aea9f34935fee1036b9aba4310b5fcc5f4

SHA256
bf3f7a772251c77d505393efcacfc0f8d478d31fa2897bda5db54571eb2b83c0

SHA512
42831dff4f624798a2a525a576631caefc1b97e7789473470c5998b88c347bcdac9c8715f28e7734bbefd3e851654f037f01af0b687df3bd62d33e6c32e6ea7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQQYkkMU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEMg.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYsi.exe

Filesize
234KB

MD5
f8b881a912e5141582424342a610ce4b

SHA1
161a5895fb74d6e23e8459903ecc78d80e72d533

SHA256
65700cef62b03c5875a4e03cba5e78380f0184cb237edad0ba3664b0c6a230eb

SHA512
a014e35554210431a200c4517415ca18808d238002b90cd230882b1331878dbcf178fd1fae2c2acbfd0ed6f4556b54ca54f3182c50366d3e98feceb63448a571

Download Submit
C:\Users\Admin\AppData\Local\Temp\NskS.exe

Filesize
203KB

MD5
d5535467f2d7795f40ec34d79b944e5f

SHA1
1977d3b3315c8355d09eb8e0bd95c6a052d3c3e5

SHA256
4be416071b8367bdf4389adf3fffa36784df1305905f3a2730ddd178611aa624

SHA512
f54b94113e1dfc9fedac99ac687673b1f8e0a06080e961f75e4d3b98e1ff96ca79cfb1beeaa54fc1217b14ef1d4706ab224c66c6df8bb7a3540b94bfa113fdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAsQ.exe

Filesize
325KB

MD5
a11e80c458f3fd940bb9301f0363398c

SHA1
09a059cf65c93742a87db2f2b7ac60d9d4ff6fd7

SHA256
b0fefaa1b677c90abd7cc64274ae15057e0d25c4e6c51e8783fc33bfd60f33d0

SHA512
2a68a18857f55640432e46dba0aa0d1143e35da05788778e7a702c9984c3c893c6eb3caaa20a31fdbf291b905516a2c0606069f785b8b17bf9a395171e1b82bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMW.exe

Filesize
189KB

MD5
a852acaf28c64a2d8b1072131c29a90a

SHA1
175a7b9fbed70f0d0078a3dc6455b6fd89a416b6

SHA256
c422c5882baa967f160cfa3835c3eaef38d371566d6334417fa7847463e55169

SHA512
dcef86b73e2f0d96c564c0201cd51cfdd543394e7be01e524f7641d991e8556aa789a4df1b4564198c9f539d9bc4b9df8c42044eefb439c01d0471414da3f336

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pwoo.exe

Filesize
407KB

MD5
52d6885f4e454133768e6bba56c64b82

SHA1
62f4703262014e7f8b8d0b87881363c7857d2f22

SHA256
76a5461a4dbdfbf7d17d555d7f27e66f997781257887d501e83fc88bed8d7ebd

SHA512
d3bfbfd673cba0e8f087067c30d6f525fb0356fc28bfb87c106efa9dc2499ff6f5427f839b58ce0d16a39ea39afb98918f237666689c4c732b133d1ece754e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgYM.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwYO.exe

Filesize
197KB

MD5
2ea15cd3e34504fa93d8ad49451b289c

SHA1
06a210a7f3f4331ad7a945ab2f55490b7fb67982

SHA256
506778a57e780e4d6443a9fac62fc6121d69c783d1edbbeecdeece248a4663c7

SHA512
6560a4300513839af240591b875c3380a6c2b44d0cc652666a7cfd7654500d3d2119a77d22b9a53283c8b94ac7388902915c2251ced01b58c54efa1d1548f04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIsk.exe

Filesize
181KB

MD5
63aee8e907fdde1940cb5262b1a65aac

SHA1
b5bc9aec1e73d21a6e5b417ed661545aab8de8eb

SHA256
bf53e246482992d0d5a807f5bf547aa8e567194fd510820596b7025d025cbf50

SHA512
afc5acf1bbe41b1b31037e9a63fc82795416bc8faf5112e75848b5296ba22a588f8a7a7553b0599625f28daafe69823e225dca2d1737300f62179b50b640f08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUYY.exe

Filesize
215KB

MD5
52094f5faa04756e6e881b25ef8c12e1

SHA1
a25bd915b2b698668d9a32a12a0cae633d367233

SHA256
135aa5de73ddfd92b57e28fc00d6a4bcd68dc828b4affa32a86d9f7306294367

SHA512
8c53fb5c3d1087772458a11fe010b7d695abfe3839fe83a092d463fe9eba3545cc70f33a83ddeee0cac82354a36a4af21d818a0386cc289a2167e19d570d9933

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgIw.exe

Filesize
322KB

MD5
fb83417d4440753b706f0fd4c47a5e36

SHA1
faf04fe9b352a5c057df281b3adedd1a00412938

SHA256
0b016f0a593f13bfe08d8b1f67718c862f018ece103add2663773f18db4ba796

SHA512
53165dbd612e0e801867f2afb4ddd64c61dbc075cfee9cf6c583914bd461c8d1e452060798938279d93f582e6603342e62338b7229c420686fbc7ea7cf02ce10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsAc.exe

Filesize
199KB

MD5
d6d27ec3c169a46b3ca7a19fdecca510

SHA1
cc954cd4a85869f56a89c993ae467d528ad089ed

SHA256
4694fef8df434468a1178f750883f742c949bdde41a78a1137f3c85c1f8575f4

SHA512
9f5f8ccc04c8acca6be1f34e0c988ed8df3de3c849270b52524328d1ea79ead81dc7f4f7ea5a41179e3811947c12dd03081ef733f93b0f74e7e1030cd771e9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rwcs.exe

Filesize
199KB

MD5
e7297020045ee0d479942bce85ea7b4a

SHA1
8b6c1893ad67c7a205f9ead6a06a11f931639be3

SHA256
0ffadaa3e894837bf24c13a960048c9ed54beb237dca6921a15ac635a8e726c5

SHA512
06d506f7cf3268f3c8fbcc45a0a9f7eac8fe80e23a2197441cd047ba57d0988cdf37ecae3f54c9e91956d5e58e76f5894597330043a184ee5f0c117001bfadda

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIs.exe

Filesize
201KB

MD5
d916b92af4ddaa056dbfeee62a79545e

SHA1
e501db26cad5ac6f200e81310160cf583b59f543

SHA256
b88357c536443f8e12f1d4f5d17df883397f0fae834c819e103ae7eb76877856

SHA512
09c936402900af8b8e7ed86e3dc46ea37857854f9b241d8e92c769399e3fde37a39c956a9bb14c4b48a1eb445ac33b9dfd65c6e925474393b958520f62805878

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOgQgcUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMa.exe

Filesize
204KB

MD5
dfab35018fe53233434057b1495aa68f

SHA1
e969c383febd1141b858e64c9de3582556d821e4

SHA256
94fa4b922c493cf8e358c73c8608ecb46b38d06273a7add792cb25a2144fdcf2

SHA512
2c3be35f3820578f1a9c2e073139e7a421eebae786961503477f3fae75f1a4beb039c587fd20e4213c48436aae4b36563ce061144844dc42f1d569c577ffc932

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkcK.exe

Filesize
196KB

MD5
a2dab1e82b50867b9b500446feab8190

SHA1
16d1f1004a20ef810bc6f353f1245ca1e437db07

SHA256
3f68b170f5655ee893dd3645a778f2b3779ebbdb80a6a9b1e31090e81f70f372

SHA512
3b0669803607a03eace2ab03fe7e18fe76cae7640e53e4ff95135e1bb6449f89c2fbf90362b03f9db0dbc396a6906cb94a9fd6c4b3b673ed9c6599d0b3b093f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAwA.exe

Filesize
206KB

MD5
ca54d66b47d93a695611a306d11c908d

SHA1
43efbedaa1fdf178244640a398fc72d43e49c9a2

SHA256
0452a3b50064d6b4059db9f0b7b580f3c82c0ef9dfb6efee8f3d40831d71c905

SHA512
074d6e3e1f9daa32304fe5fd34a018fc71922416efc7414cf806934d521bb8b01593b27299e6c2a30da723e333d2affcafe4e4508edc7139d85b65ac82881157

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMcy.exe

Filesize
5.9MB

MD5
f51f3bf8c1cc412408ef0c0a2d33eaf7

SHA1
6bb8bf4495881ad43e61e742083357edc0c97850

SHA256
3c6bdd99d56009d0f7f7a87bb1557eb2bea5e8722bc07b026a958074772e5b62

SHA512
fa78b3d4247726eebe9aefb96f8457ae3f7489e09a2df24f2d7a40a64fcb3bf2e39949abe5fe97a4e00b16231a51c4d15f5d2f156f8c44a3b5e18de3fbc83351

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYIw.exe

Filesize
180KB

MD5
2ba51a81ee670d1244f6b2d7e77b98ce

SHA1
570cfddd36c4052241c9abeccf09bb6ae96604af

SHA256
e739b1e1d99143902ccf07d3277c0c1bdd9ef6d8fb0cb0a872e34c75c10e12c8

SHA512
712c2db85e062a96c874e9edf2facf59cd33aca4d7c946bfce198828a0eadb8f113b0dbb8e85ac9a10ca4ffcda8e52ac279db42b76d441c72dccf978feaf4865

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYke.exe

Filesize
260KB

MD5
1ea42aa4a9c0d32af0ec2936211ba2fb

SHA1
875744af8ce9c0d3e21749a65659a409962f2306

SHA256
74e07b5bb8123da76967cc77659c494213cac28f0744d073bf40bb03853ba235

SHA512
74140dafbb2c4cf930309392ba92ad40bbb93f253f73ee353829d50c845e16e0ec7cb9a36ce72c49fa81124d11080ab9713dd641e28d7d685279e0cf82a29cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgUm.exe

Filesize
189KB

MD5
ef7582dc7e55003ba55cc707445be628

SHA1
001de936198f617a91d853bc45215b2bf70272af

SHA256
2e582f70968b44abd9cb3213386f73ef15ae6d7384ee475032d1eb7fc979ceee

SHA512
6986a51bf38a5f8f481e65b02ccb2bc5f35e0e3a2347517c0b1ad51c93b19cf64b7499c843f37956fd0f211f1c6f4f9649332181f7e1e0f1965a5a7c33368370

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoMA.exe

Filesize
5.9MB

MD5
5d804b1ed4df2315c4db6d8482475ef4

SHA1
7e35bfc3fc4408d2c74afbaa9bc41dfa787114ce

SHA256
ccfa2ae0b1300d974559ff81e9368f38b99886049b8f828fa85a66d0754bfea6

SHA512
01ec1e3a4dc9e8862f5d514d268c4426e3596915ae5851a4f0bb6389cb24ff3bfc49b6543195df766b552a72440ffee6bf548a6c04ec603de405eaa8900eb949

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAcG.exe

Filesize
198KB

MD5
3eb7f53edc36030e13eefe7b9541834c

SHA1
f1692f79d459ccfb053b07bfd114f6f2ed7a0db3

SHA256
b58e833f8fbdcf6753a9f8c2ac76904c31e621ecc192a5fa145a801925872949

SHA512
fd93cf33266574f09ebdb17688a0d7deb969ece2c9062ec212300841117d977afa80be5e3fe33a6d5ac9bd50315a5af379b83332b41485fbe92d00cd96d35987

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcIi.exe

Filesize
212KB

MD5
bdd03130111a0ce4698f6fea3d6620f8

SHA1
b986547861a27b61582887a20beb5bc52540cdc2

SHA256
1fbe186ad8f9d3632007a0f158035db90d12d6253eefc6ce8c2f625dd226d0db

SHA512
cf3214d0f0d4753d1c779694003f2098e66e12a074ce277a70c7dcb217bb45bb6500c2f6fb655d6208ebc25b424073e5e953ba4ec16a84d6101e955323437112

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMga.exe

Filesize
636KB

MD5
092d0f265c6d821d46167cd1e9afc3d6

SHA1
c1b9c3dc78b9210847d70d0e9a12115c0ca7019f

SHA256
b009ff9cc3f17e0c5d860d168822785519bea26aef1f02c0464a2cc21f431645

SHA512
10c35c6f2bf4b40da9df14460c32f2e2d06eba149a4b435cdb814b87e61572a3642486f476149f2c5df825560f8e0822aea4a8f9174b04a8932bbe0838ea93ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEW.exe

Filesize
1.8MB

MD5
647e647a7b9d69221b4f662b55962e4c

SHA1
7c6ef208eae0c70889370e7e115e4df1decac0d9

SHA256
c409208fbb76425973bf55ad1ffe48db19683607ba91a23c0c7c040cdcf8cb6f

SHA512
86e12adfc6bade66f76bbaae2b5684b49ef633d0f2934be2e7104f55d84bee5f0aea4f1689d466bd32771be9584a57b9f5091f6428e07e2dd5b3b153ce8a0d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwEC.exe

Filesize
658KB

MD5
ab8c477793731ebdeeef0186ef825c2b

SHA1
5976c70f9f3dff748984b52874ea13a02aa321fa

SHA256
0d59787c3221fa36e0e4525e75409285bf77b34a54253126a2113d85ad1e7539

SHA512
d2158b4362cdaf10ace0ecb065fc0ff314765afa89c9a791c78b85bee60791a70197e72d3b5b423ea0301fc6edc7864025b29c7bd38bb38d966e0b798089cec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgEo.exe

Filesize
5.9MB

MD5
fa54a15c7d7a2f8628b896857c8602b7

SHA1
7bcdfd9e272865a158fc5132ea69ff5da9ed534b

SHA256
52a7a6fc9fcca908c9ff6718e9499be6528b887717b5c815760701c63a838163

SHA512
8de8a59d17d8c4da78284fe5fc0a49eb60c7e9d22be09058d697502721aa80ca8cb060ded371ba9b1f5242b683ae1c67ddf068bfb82668a4e2188c32a70d85db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmsQcMoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwMi.exe

Filesize
208KB

MD5
cd64bab9574e8b11cf5383fed2fb53db

SHA1
8f8e21dd011cb6546c861f06870ab706ca3eccdb

SHA256
1e31fbdc115ddf7eb62f655b0d97a4c959dd46eefc8e2be1adddca3949ed6793

SHA512
a25a96cc2d62d5100ff15039874733f6e5e9b7be2857d0986339e386f125faca66c878d5797ab0bdc0206bac22c8d27a79f5ea09160ae147b99c0fb30836ad9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acMc.exe

Filesize
190KB

MD5
80b2110257cffadf0aa2ccc888fc5c91

SHA1
7a14c86b1783ac1fd5763a009b69589ce31649f8

SHA256
17e394ca6a4def660643857e0c1d0689f707d7a51a501db94abeda0de1170655

SHA512
10cde0b384acfbaa5d708adebae6b25101c58eac2b74c8e9c66d5118398c0a1634096f56b969f4afcfa97718dfc2a4e414e8cf41b48f49422a45e470d0e9a2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\akwe.exe

Filesize
197KB

MD5
479d12aec0fb4214241e55e1a8a5956e

SHA1
1e53e69a0fa76413c831abae5558076352a90217

SHA256
1d7bba1937da826b2771671d6f128937875f61827f471fad4a2c112e16bebacf

SHA512
2ab84b3a0b06662a27f72f5971647d6e9d74cb7980f0d2a230ced1a3b88dc0367d9844e018d3192336697a4da1ee78a4b12ca5ac25ab5bcc5ea10e85e91d7ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEAy.exe

Filesize
192KB

MD5
4d517e7a79d3dd3a8c39c174dc4dda60

SHA1
5f03a77b3df067290971881eb301859ba333890a

SHA256
3a68a9709a36f42e31a0b89ca008b2cf442eab0cdbaf05ca23edcbd2d86929d8

SHA512
1584fcbfaf97c32cecde5c27fc0a9972a9eba9d05867fa59a3e62243e4a1236451f5b85f7c03a28f079af9f676b816cb1dc37f9d1b721774c0f661dfe2207970

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYUW.exe

Filesize
198KB

MD5
765b7a85f5ca4d7e3c9aa71dc91c8bb7

SHA1
f907a9b0a3efc40018bd6f5a658da8eadd7f59c0

SHA256
19dd4ce7b1509e8206c09a0e89a6fe6f885e0320a8b52ca7312c994d6a610642

SHA512
3bf54e32a0cb545da77858ac830742a9a8108366614803677d42d0e3b3cc35f0132c0a5c312460bd306071b7d4f18533bae005cb39714c129488592e09e07466

Download Submit
C:\Users\Admin\AppData\Local\Temp\bggM.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAwm.exe

Filesize
557KB

MD5
2cc103d277e524a615875a3145d7f6fe

SHA1
9e3bfb78ae582e4df516254c04bf8eb53bd64354

SHA256
2199ec70721a6cffb5694c5f2fd3ccb16db3a4b3b7607ea19965e3fb56939cc2

SHA512
19a68e5379335188c6ee94af9787248c5e38dae2c3a2383456b45ea96a9e30a539665316918761a21f9dd89d6ba0023a85e482cee164c808e064730165a4ebf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKgAwkow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKgAwkow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYAK.exe

Filesize
5.9MB

MD5
8d93d90fb7d09faa6b6235d789855350

SHA1
6986fc7dfe79232ee000ddf8fae220a55367862e

SHA256
d5417bb66a379d5114487a050db133c191d1458c660c5f95a6397ad38b518e5d

SHA512
a653be7af0ee8574824fa94c7c59c79ed7ec7419dbf2d3d14d04abe3c62d830fc25f96bc56cd4f3d3a9550672f66a264ddbf120376d28ec052f02923ba1d7439

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbeb8a1dc9c1cc99182866d178ecaea8

Filesize
6KB

MD5
8b0271e0dc1d723ea9b9bfca72f35cb8

SHA1
21e0292b2a75f4ba5421e03ad29c5c6f00cd7132

SHA256
66cb10ca453d7e731070da923a0f9a767f0742a4c50b0b3cc04b42e43104fa46

SHA512
fbdde8fae5d182d0f07889e6a7442ea55fbae30aba66c67c1acf0158355ac0be507873436e4bbba8c3726315314d511660743a5b5e3ca2bd179d9b4854160fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cckG.exe

Filesize
201KB

MD5
d2a525f585ff9185e14903d8604bb3b4

SHA1
ba127dfe6219b2a7ef9bcc95e4f6ae04017025e1

SHA256
e92fd9e02cbebfb33412c207a38ea341ae8935552c5d9c63ff9ff4e711990e33

SHA512
611c7d541beaa482ca37ec8fadd9476431248faa982eba13b052983e181dcc676fb98e6e1cf2132867785bec708f9489917effa019e571cad16bd27fe0adb567

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkEc.exe

Filesize
642KB

MD5
444ce000f8b747c56bcfffef74f3c4a1

SHA1
93dffe66fefb785cdc943bee2cf837eafa84366e

SHA256
468467ad460ef9359b8b152d699601a27204c53c77fe40d15c0b34e7b911d513

SHA512
6cc9c1392b9e511d635f1cfde172292c070db9fa0c4aeff2d60be2b0fa21ea65e55201364450294a8c9a6bd5876d078ea4a3d273acaf7a5020b92cd2d7792042

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsko.exe

Filesize
449KB

MD5
bf3880a47f3b3813e542d8fca666a809

SHA1
6b600a7a9a7a1765e0a081ea5c80dab3b5fea637

SHA256
8e3c0f4caa296df803a5afca2d45b8c9089276da40f6c6bae3bc1d1dc890960c

SHA512
98444694ba7a7be481fc41ad67a1352240a739aca8e21db2f083657ce845434ab4a188d28e1726cb5e91ff3bf044d4d170a4e6faaba0a852c8c1d1e5e052ce90

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAEO.exe

Filesize
737KB

MD5
48de6e8fe8848ab85bd737804580861d

SHA1
d0f383ab71de41c082794f1436bf4c1346554fb4

SHA256
af9b117ea7bcc22f62389800322195f711f91748e92ae5735a8e650c566cd84f

SHA512
61b83305fe59a18a375a5d97d6f67ba0cb57add6fb5d6030b5ed47029be8f038267282dc3dd84d33ba6ecbf3ae0e1de634a12e6b346db72dc398c197d43b408c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWMMksgY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\emIsIIoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewgs.exe

Filesize
523KB

MD5
4868ade6789fcfac492bfd8dfbae1c8a

SHA1
ad72b429073b03dd1cf87672ea9163906cd4dede

SHA256
905c8d7c4df0af14858af9db204be7ba854df44bbbcf679e0ed320eea282d4f0

SHA512
5e9a7768a592d6cdb4dbe32aed914a04e8b542a4ac792fd112197e787aa9c06011228b0ecd5af9c395d7a05210f8a4def758201aa63ccc7368e1d0ad4ca1f0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMoW.exe

Filesize
209KB

MD5
0aafbdf754900f153473caf0023d9e6b

SHA1
c18bc7f3b1c273100a2263ba9a8c8555356efc1e

SHA256
6ea9ed076e3531f8ce947e3d5191936fc9f67bb082c28919669f814e5efbd37e

SHA512
a9200354173b2c75221cfd94088a2d6b49cc042c966f51d7d4a59d5e3bc34f6471032156ac065f1e2c409d40f0a3a6021cc9eb37b9628a575c5589e360195054

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYoW.exe

Filesize
202KB

MD5
0f819f256e4a72cc70459801c67ee8aa

SHA1
6c8a653654c873c7683dfa7e8ad2da8ded53c603

SHA256
67894b2b09a3a6880b228cbdc12d725a407405d8258a587c7e8c188c95da63ab

SHA512
10fa45f7759ad7307707139de6930caf8a281236348583bfe84b63e0966989deeba9dcd7f9bcb08ab2da4599786429f264c3ed1371c8d143ca92f218b39253c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIAIIcwI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMo.exe

Filesize
192KB

MD5
49cc58b76affd751fd30ba5bd199c5d0

SHA1
d17a350b366e1015ef5ccad7992311860dbbb5c3

SHA256
a05ca5c0e47ea9b79d5ca1fcba58eb5d51e23c4fdf1f0f76306a188cb1da42a0

SHA512
ebe3494ba294b1f2e2df2cc9d67d85b5b8b317b8ebb9c3c3b753c01eb561442f2797c5d8a67c9567342da21a893369bda5ac0ef1e1e8a7c6c82bf65a59292662

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggEQMYMU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQkC.exe

Filesize
657KB

MD5
aa86d9c4bc5243345d39feef5446d3ba

SHA1
51c75c9e22aa2c998d7fdd4b24334f6c5a8b95a1

SHA256
bdf7c957b57690377e092f30e3911589be33769bf8a77acb50e9fa9f4b99defb

SHA512
03ac502f48b7456c17e211fb26a019aa2a4f733623d2e825be06657f9e36a6f55e6b6b1b46e7a0a09a381e2d2f981a266a756c9d603da9da1f024f111ffc6458

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEEG.exe

Filesize
5.9MB

MD5
3cce54f760143afca6223047a0aa77f9

SHA1
0b071e6413df6fa8b6074e0071e565809436c307

SHA256
9b656a4500d3058de64893f4144d21b795e34a226f4f081385be2a28f0e0bea1

SHA512
867b7fb50cf160ed08506758b86bc2c50e3514601cb226b1cee3e281167edab4e54afed7b6698d53273e0fd30ab5811d865e3fc064fe22b304a13fafb26ce563

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEksEYAQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIog.exe

Filesize
205KB

MD5
b046c5144ca8b5bcd8c6ca917f0a57aa

SHA1
e937eb7eb9e64a597f6e4d3c759d8563a101ad38

SHA256
139bda5601ea39c6bedb866bb59a557254e24d5625bf7aef176a9f5f116e968b

SHA512
d627a773c610780dcac2a2cc98e3b7119c4d694cc7ae8aff7394fa34024e30cd9302ccb2c1ba6af57b86c688a56881697b79db4a456e26c9d659508441f75717

Download Submit
C:\Users\Admin\AppData\Local\Temp\isoQ.exe

Filesize
780KB

MD5
8750bcff31192790d516be015384f62c

SHA1
880212e53983ae4048d2a3a4122b92528240b986

SHA256
f965907c324b38c3d74b17dc8ff27b59734ac5a75e9d89d676e58cf9b3f6492e

SHA512
d1a0a5f6d3cdaac5f8856d5dce713094c09430d7505b4d024ab7794b3b5df61a37416f3c4009f6ef0e9af5bbd2dcbe57ac840345767b736095dddb14e1012765

Download Submit
C:\Users\Admin\AppData\Local\Temp\jOQcMEcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgoQ.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEYQ.exe

Filesize
456KB

MD5
e3a9a50a936b1186a6bca519d17bae92

SHA1
6d977ab3908e15d2e4023bb213b97a862dbcb779

SHA256
397f038c9518e6e98492f4bad18202b9ba51c9ccc96a4f5341d22c5c13c26a11

SHA512
c973ce038a17f51a519bb79ac629bdc9687665cf3b9720e3b0720f10d9147489f62c077daf1b9d2e12c9e539a5415da1dc18a3a912cf081bc5f0d28541024fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYkw.exe

Filesize
195KB

MD5
b4712ca750c527c690bf16eb8982e65f

SHA1
58ce349b06edc209794bd2e8d848b815e42b4a5b

SHA256
f9775246df0badf98f458de2395e0d6a56c1a3163141a7b2d800ab197053d208

SHA512
fe5be1609be53f9fd110602fa8e40b9c2c2fe84c902ae20b0442217e72554a3a34b5461be5ea946bf9603bd288e6a1e35c12adbe3667343944f2c45c612a29d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUW.exe

Filesize
191KB

MD5
455b632d9e60db52421bb610d8c88afa

SHA1
a31b277ad9eff47cb6bb669d8964d3e3fa81bf29

SHA256
d7279086980219d7211a5eae0c356ce102b3197e95cb631833ccbc74bb978645

SHA512
d9012242ec7e31432cebb1bcf611b8cebb8beae49b6355db021ff35c79b52fb95454ee04aa992dfd4d4ae2f275918daf5ee20ef2685700cf6fb84b9fcf06e98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\koYY.exe

Filesize
210KB

MD5
b2cffd1b251a12fea894cb11b6a072f8

SHA1
82a42f6d4a3093fd951d2217fc8cfb35ff885176

SHA256
35a07027aa81172450e3c1f36b26c80f538240ae426846a16e3873f13ef7fad2

SHA512
3992c4b83e3ed0d16f8cc000c5e87344116b1da4c57717aa2e8e68b06cf24698805423f9f420ca598c21dd048237b5f847002dc09c42f597b1438811be15c818

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwYy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQIe.exe

Filesize
198KB

MD5
c1f9e9d82776eacb797cc5412d616a77

SHA1
ffcc28999496e560d7c6ea70234770bab5e62c1f

SHA256
c6f0c5b32d8671d81302df6190097c087a91d4296580a45945f6a07c73d816dc

SHA512
629cfe3c793f788e7a6192ab15b084a48e718ee04b5695f7ab3a86f261330017586f12af157eb87445db429c1e3bb4e9924124bd12d1caffc859aacc4177bced

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUQI.exe

Filesize
187KB

MD5
eb5a56fc29ebe4dc8fd1fd60474b62d7

SHA1
4eb8cf3df1d5df7c5b97e96aab3192197ecf2ff1

SHA256
a3e3c9c791ed9379d9fafbeea111c3de23acdf52f19dbd911619aff480aa21f6

SHA512
5bc8fb0f49364c10e9b8d6b1d0ca09a05ee4e093a5d020e7cd1c2b789e8ff2ddc49f59ce150cf5813dccaf891e0424ae35b10f9f103e471e6be18e0b7ecf07ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgce.exe

Filesize
205KB

MD5
8f594a19e68ed7ec5641b0279cae6da5

SHA1
58b613a314e05488e1b5ead86c837e97ba559530

SHA256
9e3c13e4fd24d8bf7d200c7c998bb0cc6d5600bf045698a8972dc1a0494aacd6

SHA512
6b109e2a718770c7d097f8845007250161edbdfeb2e91301ccf5f6cd1c34187c80ff76879566814f97e13798e53aaca787c57f3d11d02828f122edba84e2f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwkAAow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAQu.exe

Filesize
819KB

MD5
5823d456b810a9ba0c7f930de687aac0

SHA1
470b805b80caf4f85b67a55b3a065d91a2a888a4

SHA256
442687ce6ea383691a180233dc5fb4e82c28633e21c09e4f33b34e2502f4c266

SHA512
990d5f49848932463936bf47306471e3c613458cb38f314870167558ba1430505533d4ca16eb168aa09495b011e0aa346554998bddc49a50871887946428ebab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQU.exe

Filesize
193KB

MD5
fcfe079d0e1be5cea47f8eb210814581

SHA1
f3cdd45f073d29c8deef901b1d1ed909828214a8

SHA256
20549e9c13cdbd9ce54a79c592ccfb791e530b52a074fd8c4bf434a1fcb12437

SHA512
5a5f9370fb42be6e2422f872fdf2944ac4d2f321232b969118ec42ffb665ca47a0957f6f8430524a4871541064e5c5eb335a7caf6f0b6c6d200ce2f1bae538e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIkW.exe

Filesize
204KB

MD5
26940ff3292f050f09b0360502789f65

SHA1
3ce29b3b3d472906b2cf78bb7e858bea55ce4610

SHA256
c2d4717b538b6e0d47990b6fe59087be5b98f5777eed00d688e1540d67c6ff72

SHA512
a95c706f6e9895a7405e52e3abcb781e849db860e68771ec065a1da9c75bf6d856ff659e88e8b96ad5d4d7c02e6a7e1ea3b1113aed85ff727e541149a74aa858

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMAu.exe

Filesize
5.2MB

MD5
09b9efdb940dea391ea51be1fb716c6f

SHA1
1f9702e0a27926cdabb0e9b9abd9c758b4db0a9c

SHA256
06a5643e9d26d6871d7cd615b83affe3e073feded10aa9d4eebd24132c767702

SHA512
fac1bc855f63e0d0f290f07f23efc64d26a1e557b99289e94ff59ab96e0ccdc6d33efc58de9bc3262b94402eb87f71d150c2455c12685c4a7ab14d55ebeb2739

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogC.exe

Filesize
192KB

MD5
665b5501476d834b8d32dac5cba3861f

SHA1
9950738d0dc3cbecca05729f6040e1b8a45d8bab

SHA256
f8ed88487ddcaae1ae1cefa196f0b652feb376e805db51bdcdf191857c1fb7c4

SHA512
874b3698502685a82beee4bf7e442988f37739076247f4194dd74abc3d87ad2c4e02383fcd4bdbb1748d129b8edbf85760f351e693a525ac3cbbb25253159bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAgG.exe

Filesize
566KB

MD5
7f3a603a953a182f6fd29c8ae1b5be79

SHA1
79698a010c4296ad42a164135e8e571fc27cb569

SHA256
98e13024cfd5a7e68a57be5b8ae9892af0375ca7be8a64fa74602a61822a9ed3

SHA512
420baec7ffcc8ce42977a4293825e55daaee4c81b6b18b5fa61951e30827a32281601e70aab271b1ca67748782fe07792b3b630efb1cd4a0337a632147939a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYMe.exe

Filesize
329KB

MD5
5763206979351d1d93aa4f2b2d482484

SHA1
960a1b2257e40cfea963605bc7a1b094667e78e0

SHA256
a131e0443054c2bf00c7d262f1d421ef9bd4c376fe1d0903d1e5db5f97b5094c

SHA512
accc6b7dbaa7f2011428777566b19fce5eb9a9fe98bc3a312f45a6a75e7847bdce53827d635115354374663c54596433838c411a3ede94487c4efe86d13a17da

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUks.exe

Filesize
190KB

MD5
ddff4518ddaf773db00168d23b01cffa

SHA1
a6e57f78ba796152f0a20dacf8c36a91f41a43d8

SHA256
87903b324fc3f5fcdc18522ecb11bbfd0f37ad7e1f9a5471bc29c386981533b2

SHA512
1f96c0c20a2f90854aff7d98f116dc34b390970505875d4873f2261e4531f697663ab3baeaa17bb29ecefeb3bc266341784ae168d48d8dd2b4f9846a5f447828

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgc.exe

Filesize
187KB

MD5
8b89b074be5a2f562e06044036a2675b

SHA1
1046a6907255aa3ba6f21b860566c923cf45f1c2

SHA256
00f913ab089f7c172bc5d947807ba6d9e7539c60c265eedf4df08f2d394370a1

SHA512
3477dd943199c9059336440445461b399271c7eb7f052717b5c7272a902d3bef7a23f59e05794b156e4c17e6cffbe55a84f0bfad334cac3b40045f2aa3e0b2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\sswM.exe

Filesize
208KB

MD5
73371c42ed1415efd19d1f25f50fae37

SHA1
f6e8e3cc9817a44b36607149f43e978faf14a3a8

SHA256
deafcaa732dbdb025739a57985afb5f98357030414f945f80e825045793ba422

SHA512
d9edfc86b17701026b45f35eaa2023e07b430dcf052150150d344272241b31c4a1604a2f44cba577e9b8631ad1e10d79084a33897cb4c8334812927e4df530dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkEY.exe

Filesize
191KB

MD5
d11c3d5b3c20e022a15ec7b1913362ae

SHA1
d1099b9b044a676fd9ae9a27e14f5c10bf031650

SHA256
cee006f7a441fc63387e081ca76002b730aea2e0772803a7960613cb75b831f8

SHA512
5ea5fbc3b266d4e8751c4edd756559fc98abf955785a9b14a5a3c08dc384948443b1cf93e8b0718e673d7a5f16509b6181cd1d69837345b63848f6859a030a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\twMa.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQkC.exe

Filesize
197KB

MD5
ff6b905cb01e7a9f0cdb3da14e72d766

SHA1
47de78fb8855b34026ffa380e622a10d6b05bea7

SHA256
2db37592bd6259c128e2fdcebc88b6588de5da9ac91701c8fdfa7fea1fcaadd9

SHA512
817a90639a8bde0c407ef05ff6e45cc71f4b959856c6a11658fde141453defe4d9923ec46bb5262a9f4b158507dca4fb4e43e9aa57ff58d472e328dad4cf98ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukEc.exe

Filesize
206KB

MD5
3dff559d9449ddf6e121deff827b6e7b

SHA1
1efd7a2d2a1b8124631587dc230f23521b95d96d

SHA256
b7bc6e4b05a318405b2ffa64cbc1e2bf922bf9c0383451d0d80b28567e2e242a

SHA512
f989bd3e05359fcdb35bbad2025215679df4ab95f171672f6fbfd468e2134e72485ae7c75f0b38804542e03ee1bcf1d0a1eee90691a192371e59acc3dbe76c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosu.exe

Filesize
789KB

MD5
88c66c7f224a90ef96b0b5cf57c537d5

SHA1
5efc9fe25d731cd579dfa9f35bc8ade2e5d1a121

SHA256
fbf0ec75c34dd1066e7c4820a94b2bd9ec820f4973faa72e62a9c904c1e6e1b3

SHA512
ca1260e2eae47c82841f2278c254739008a29d59e76dd19d77b2e22517aab09fa29e695f34af45c640a6d696923cdf7a5eee50dc9056f3a503f6a5056c393f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcoq.exe

Filesize
200KB

MD5
8e91bfed14156ca12bb53d76c9047a4f

SHA1
8740493a19de94d76f1608f47b980c4c7723ebdf

SHA256
18118c0a63ab356c08ec7759970209930363b95d441064bc153d3c66dc2070d4

SHA512
5e9a287d3d0a3d6d4c8053c733ccc29c8c723259073a8b134c993f08354d759b5817ffd623ff3af361ceb0cec877b59bf55433746fd99b3ea95a2656351bb2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAUcQIcw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsoS.exe

Filesize
185KB

MD5
367f8796d8d7d8dd48bbf9a968a39979

SHA1
8db62f084bfe388677a682dff363992bec81d096

SHA256
a50bc794594feeeabdab4498f272ddac000b25d3298afb4dddd291685bfc8fd2

SHA512
011a18246594952443b42d06498857798e2810f2ce4904be755c9cc91b37d7ce7336e132d735e9816c82a689b33261d2c24829572155cc8caebd4761a63a2032

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAE.exe

Filesize
211KB

MD5
b415eade6575b8ee4465cfdea8a5211a

SHA1
0416f2d5548ebf57620b3e06ce1fa5a6b39540c6

SHA256
053f4653d336075da0c5103a80bb1e71f15b741ebcf5ced0514fb4b018d1b974

SHA512
b5f94e1d17d16fa2da7fb83328b30521da2d4c70c9b5f414f539ee351a8f4def5efc25f3bab136b42a047df385daebca0f4ff5e5206c8b1eccdec8d8079589f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQwQ.exe

Filesize
825KB

MD5
b32a676c84c74c87a3568fee2eb907af

SHA1
ab385a965aa95c1dbbc4bc853510f72601279ebc

SHA256
f20b3673c246099c4d732349493150c7a3c1ba9dfbc292987aac0b5e60ffc10d

SHA512
94f73a8a9d678eedfe26a96e4ab6ad0819e66d975c0769e65ab3980f0d371dc4878f309ae73188f85d88e9cd26c0c352f4b23d00bd0d27c83bf5050c3b07e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwse.exe

Filesize
208KB

MD5
c1308a292dff5e72f58bf11b80b2a93f

SHA1
c631241784fb6595ff0d1e0df02870e2e687f873

SHA256
71ac30fa78548654d66f00637cc49f18fa146eb18babaf096015fa31963790d2

SHA512
949b4a3ca1874428c3f4bd7aa4667d5f77ac42c92f10215ea4917bb964e51307bca038f7e77e909f3d36e20db3d03b2113f3e8552bd486eb0ff4803bf696c2c7

Download Submit
C:\Users\Admin\Pictures\SplitMove.gif.exe

Filesize
601KB

MD5
6bfb3fe21b698854133151472dc05dd6

SHA1
197783a8ffc496ba2655c4944a427ad4cde80aac

SHA256
d20c91afde19241a67a81d158da3892854e5c0bdb1dbd6743938de0da47ea910

SHA512
9d96e341e4139a3e0016d7ae0cffd1d7a4657047820c0783bc0538a71ead8ac50198e76c87490c4a7c6c32e01fe31037f8f1c0811a9436f4bbb8e39e10764f88

Download Submit
C:\Users\Admin\SoYIMcwk\BiskQYsU.exe

Filesize
194KB

MD5
fccade8ebb4355336e304601f65b83f4

SHA1
7048108bc80781d510c2099f11f2b46c341a5402

SHA256
dd7485f960f1cf75b7cc69c531b53ded54116227a4d9a14e8ed39c35aa6b1e04

SHA512
d7c524a5466c2b1bd955e9bf544b6a51dd57d81522793f01e0d3159b05f007f2047bdf37cd931b50cfbf777ffe00f7a520ae1e5964ea801c907914a08b371099

Download Submit
C:\Users\Admin\SoYIMcwk\BiskQYsU.exe

Filesize
194KB

MD5
fccade8ebb4355336e304601f65b83f4

SHA1
7048108bc80781d510c2099f11f2b46c341a5402

SHA256
dd7485f960f1cf75b7cc69c531b53ded54116227a4d9a14e8ed39c35aa6b1e04

SHA512
d7c524a5466c2b1bd955e9bf544b6a51dd57d81522793f01e0d3159b05f007f2047bdf37cd931b50cfbf777ffe00f7a520ae1e5964ea801c907914a08b371099

Download Submit
C:\Users\Admin\SoYIMcwk\BiskQYsU.inf

Filesize
4B

MD5
549d1f97a5f64c5b4d51d0a71067b9e7

SHA1
132f2790b0d5aa939028073f640d097d902ef773

SHA256
baf40049866ffbbd72c5509beca3c9e08ef275b67f8d6839441a9c1b8e3593c4

SHA512
eca12046dcc493135a4647e7a013e62cec3fa290265d14f44cf62231fdd80e61458e46f6e71ff25b44229d20426cb6c24171ae26f4c5110a94cdf4a9bd65cd8b

Download Submit
C:\Users\Admin\SoYIMcwk\BiskQYsU.inf

Filesize
4B

MD5
549d1f97a5f64c5b4d51d0a71067b9e7

SHA1
132f2790b0d5aa939028073f640d097d902ef773

SHA256
baf40049866ffbbd72c5509beca3c9e08ef275b67f8d6839441a9c1b8e3593c4

SHA512
eca12046dcc493135a4647e7a013e62cec3fa290265d14f44cf62231fdd80e61458e46f6e71ff25b44229d20426cb6c24171ae26f4c5110a94cdf4a9bd65cd8b

Download Submit
C:\Users\Admin\SoYIMcwk\BiskQYsU.inf

Filesize
4B

MD5
7914099061b29f29f07f174263fbb037

SHA1
1a58a80d8a270805986577bbf2cf3923c396bb54

SHA256
1255425aad09c379a96926931cc19c4893c63cd2af9be13d50a25b212c43fd3c

SHA512
57b815dbdc73345d17a9567ddd4fc5bd54b03f7cdf823d6ba024df43ca49ff1d6e95862b563f4654a426e708e767a0c1c44f30b6e853558678a1d44369057bf1

Download Submit
C:\Users\Admin\SoYIMcwk\BiskQYsU.inf

Filesize
4B

MD5
f148c31740b7d21af40ac2ae76e35965

SHA1
14f1a70cbbaa511eee6f3f22f0745a6722ff0956

SHA256
d49fc3143ba2137ddb7a925c7db102109cc530adfdba5441715bebce4b085e8d

SHA512
2b8310d701fc5c6c409d8a549d8c4cf80dbcc59feb61a9067a1c67662ddd5d8f1d26e304c1a91429e1f54de71b128d2494e6c6dff2b1bde73fd781b637bd9550

Download Submit
memory/336-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-577-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1164-594-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1448-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1504-414-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1504-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1508-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1700-424-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1900-532-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1900-524-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2016-550-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2132-498-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2132-505-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2136-279-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-559-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-552-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2244-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2248-451-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2316-460-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2316-453-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2640-540-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2660-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3144-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3144-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3148-397-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3208-604-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3248-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3268-441-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3376-241-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3640-513-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3672-523-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3696-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3816-567-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3908-317-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3908-379-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3996-366-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4020-343-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4092-496-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4128-293-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4152-150-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4180-257-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4180-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4308-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4368-151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4372-387-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-355-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-350-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4636-468-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4664-406-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4664-402-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4896-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4896-586-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4896-579-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4900-433-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4900-429-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4944-486-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4972-623-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4980-306-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4980-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5064-478-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-613-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-605-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download