8dc63d8bc0c33d871c68ac5a160fedd92d6249b7292d2d960421ca0ae1768ca8

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3FD19852.exe
Size

240KB
MD5

09f4b910a7a2918b86bab987530358c5
SHA1

14961252b8202b737cf4650090864fe92c9ac505
SHA256

8dc63d8bc0c33d871c68ac5a160fedd92d6249b7292d2d960421ca0ae1768ca8
SHA512

4256d7040f68842aa4f7b8dc47c7f9b415ee2c375117061385db4b9d33699a634400b09088a0110d52f30ca1526d49eb4715a938e70f2afc8ec6bd57ba1e10a9
SSDEEP

6144:A0Zmafi6xCE6T/bjb0fTntckefV3MBtg61:A0Zvi6xInbKVwVAR

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	TrustedInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3FD19852.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3FD19852.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3FD19852.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3FD19852.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3FD19852.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DllHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	vkEwYIUs.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	PwwUQQQU.exe
3296	vkEwYIUs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PwwUQQQU.exe = "C:\\Users\\Admin\\XMokwsoo\\PwwUQQQU.exe"	3FD19852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vkEwYIUs.exe = "C:\\ProgramData\\qWMsMwok\\vkEwYIUs.exe"	3FD19852.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PwwUQQQU.exe = "C:\\Users\\Admin\\XMokwsoo\\PwwUQQQU.exe"	PwwUQQQU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vkEwYIUs.exe = "C:\\ProgramData\\qWMsMwok\\vkEwYIUs.exe"	vkEwYIUs.exe

Checks whether UAC is enabled 1 TTPs 56 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	vkEwYIUs.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	vkEwYIUs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4308	reg.exe
5000	reg.exe
5108	reg.exe
3408	reg.exe
2180	reg.exe
1656	reg.exe
4648	reg.exe
1920	reg.exe
4732	reg.exe
2872	reg.exe
1516	reg.exe
2788	reg.exe
3444	reg.exe
4208	reg.exe
4544	reg.exe
4908	reg.exe
620	reg.exe
1316	reg.exe
5056	reg.exe
4488	reg.exe
4684	reg.exe
2380	reg.exe
3404	reg.exe
2580	reg.exe
2192	reg.exe
3056	reg.exe
364	reg.exe
4332	reg.exe
3896	reg.exe
2532	reg.exe
4176	reg.exe
3552	reg.exe
5000	reg.exe
5076	reg.exe
5116	reg.exe
2252	reg.exe
1316	reg.exe
5020	reg.exe
3416	reg.exe
952	reg.exe
2192	reg.exe
224	reg.exe
3476	reg.exe
4480	reg.exe
2920	reg.exe
1696	reg.exe
4900	reg.exe
2132	reg.exe
4308	reg.exe
4724	reg.exe
3220	reg.exe
3328	reg.exe
1996	reg.exe
4352	reg.exe
4640	reg.exe
5012	reg.exe
4316	reg.exe
2000	reg.exe
2648	reg.exe
4568	reg.exe
4576	reg.exe
952	reg.exe
5012	reg.exe
3600	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	3FD19852.exe
2752	3FD19852.exe
2752	3FD19852.exe
2752	3FD19852.exe
2072	3FD19852.exe
2072	3FD19852.exe
2072	3FD19852.exe
2072	3FD19852.exe
4412	Process not Found
4412	Process not Found
4412	Process not Found
4412	Process not Found
3624	3FD19852.exe
3624	3FD19852.exe
3624	3FD19852.exe
3624	3FD19852.exe
3728	3FD19852.exe
3728	3FD19852.exe
3728	3FD19852.exe
3728	3FD19852.exe
4712	svchost.exe
4712	svchost.exe
4712	svchost.exe
4712	svchost.exe
1772	3FD19852.exe
1772	3FD19852.exe
1772	3FD19852.exe
1772	3FD19852.exe
1184	3FD19852.exe
1184	3FD19852.exe
1184	3FD19852.exe
1184	3FD19852.exe
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
3676	cscript.exe
3676	cscript.exe
3676	cscript.exe
3676	cscript.exe
4028	3FD19852.exe
4028	3FD19852.exe
4028	3FD19852.exe
4028	3FD19852.exe
2924	cscript.exe
2924	cscript.exe
2924	cscript.exe
2924	cscript.exe
948	cmd.exe
948	cmd.exe
948	cmd.exe
948	cmd.exe
3704	3FD19852.exe
3704	3FD19852.exe
3704	3FD19852.exe
3704	3FD19852.exe
3624	Conhost.exe
3624	Conhost.exe
3624	Conhost.exe
3624	Conhost.exe
3912	reg.exe
3912	reg.exe
3912	reg.exe
3912	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3296	vkEwYIUs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe
3296	vkEwYIUs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3068	2752	3FD19852.exe	85
PID 2752 wrote to memory of 3068	2752	3FD19852.exe	85
PID 2752 wrote to memory of 3068	2752	3FD19852.exe	85
PID 2752 wrote to memory of 3296	2752	3FD19852.exe	86
PID 2752 wrote to memory of 3296	2752	3FD19852.exe	86
PID 2752 wrote to memory of 3296	2752	3FD19852.exe	86
PID 2752 wrote to memory of 224	2752	3FD19852.exe	87
PID 2752 wrote to memory of 224	2752	3FD19852.exe	87
PID 2752 wrote to memory of 224	2752	3FD19852.exe	87
PID 2752 wrote to memory of 4712	2752	3FD19852.exe	89
PID 2752 wrote to memory of 4712	2752	3FD19852.exe	89
PID 2752 wrote to memory of 4712	2752	3FD19852.exe	89
PID 2752 wrote to memory of 4892	2752	3FD19852.exe	92
PID 2752 wrote to memory of 4892	2752	3FD19852.exe	92
PID 2752 wrote to memory of 4892	2752	3FD19852.exe	92
PID 2752 wrote to memory of 2648	2752	3FD19852.exe	91
PID 2752 wrote to memory of 2648	2752	3FD19852.exe	91
PID 2752 wrote to memory of 2648	2752	3FD19852.exe	91
PID 2752 wrote to memory of 1868	2752	3FD19852.exe	90
PID 2752 wrote to memory of 1868	2752	3FD19852.exe	90
PID 2752 wrote to memory of 1868	2752	3FD19852.exe	90
PID 224 wrote to memory of 2072	224	cmd.exe	97
PID 224 wrote to memory of 2072	224	cmd.exe	97
PID 224 wrote to memory of 2072	224	cmd.exe	97
PID 1868 wrote to memory of 4568	1868	cmd.exe	98
PID 1868 wrote to memory of 4568	1868	cmd.exe	98
PID 1868 wrote to memory of 4568	1868	cmd.exe	98
PID 2072 wrote to memory of 1360	2072	3FD19852.exe	99
PID 2072 wrote to memory of 1360	2072	3FD19852.exe	99
PID 2072 wrote to memory of 1360	2072	3FD19852.exe	99
PID 2072 wrote to memory of 3336	2072	3FD19852.exe	106
PID 2072 wrote to memory of 3336	2072	3FD19852.exe	106
PID 2072 wrote to memory of 3336	2072	3FD19852.exe	106
PID 2072 wrote to memory of 4308	2072	3FD19852.exe	105
PID 2072 wrote to memory of 4308	2072	3FD19852.exe	105
PID 2072 wrote to memory of 4308	2072	3FD19852.exe	105
PID 2072 wrote to memory of 4136	2072	3FD19852.exe	104
PID 2072 wrote to memory of 4136	2072	3FD19852.exe	104
PID 2072 wrote to memory of 4136	2072	3FD19852.exe	104
PID 2072 wrote to memory of 4604	2072	3FD19852.exe	101
PID 2072 wrote to memory of 4604	2072	3FD19852.exe	101
PID 2072 wrote to memory of 4604	2072	3FD19852.exe	101
PID 1360 wrote to memory of 4412	1360	cmd.exe	109
PID 1360 wrote to memory of 4412	1360	cmd.exe	109
PID 1360 wrote to memory of 4412	1360	cmd.exe	109
PID 4604 wrote to memory of 4076	4604	cmd.exe	110
PID 4604 wrote to memory of 4076	4604	cmd.exe	110
PID 4604 wrote to memory of 4076	4604	cmd.exe	110
PID 4412 wrote to memory of 1688	4412	Process not Found	111
PID 4412 wrote to memory of 1688	4412	Process not Found	111
PID 4412 wrote to memory of 1688	4412	Process not Found	111
PID 4412 wrote to memory of 3132	4412	Process not Found	113
PID 4412 wrote to memory of 3132	4412	Process not Found	113
PID 4412 wrote to memory of 3132	4412	Process not Found	113
PID 4412 wrote to memory of 3740	4412	Process not Found	114
PID 4412 wrote to memory of 3740	4412	Process not Found	114
PID 4412 wrote to memory of 3740	4412	Process not Found	114
PID 4412 wrote to memory of 4312	4412	Process not Found	115
PID 4412 wrote to memory of 4312	4412	Process not Found	115
PID 4412 wrote to memory of 4312	4412	Process not Found	115
PID 4412 wrote to memory of 3352	4412	Process not Found	116
PID 4412 wrote to memory of 3352	4412	Process not Found	116
PID 4412 wrote to memory of 3352	4412	Process not Found	116
PID 1688 wrote to memory of 3624	1688	cmd.exe	117

System policy modification 1 TTPs 56 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3FD19852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe

C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
"C:\Users\Admin\AppData\Local\Temp\3FD19852.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\XMokwsoo\PwwUQQQU.exe
  "C:\Users\Admin\XMokwsoo\PwwUQQQU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3068
- C:\ProgramData\qWMsMwok\vkEwYIUs.exe
  "C:\ProgramData\qWMsMwok\vkEwYIUs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
    C:\Users\Admin\AppData\Local\Temp\3FD19852
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        5⤵
        
        PID:4412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        8⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        10⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        11⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        12⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        14⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        16⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        17⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        18⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        19⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        20⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        22⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        23⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        24⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        25⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        26⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        28⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        29⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        30⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        31⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        32⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        33⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        34⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        35⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        36⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        37⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        38⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        39⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        40⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        41⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        42⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        43⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        44⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        45⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        46⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        47⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        48⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        49⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        50⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        51⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        52⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        53⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        55⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        56⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        57⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        58⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        59⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        60⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        61⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        62⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        UAC bypass
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        63⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        64⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        65⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        66⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        67⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        68⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        69⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        70⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        71⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        72⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        73⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        74⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        75⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        76⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        77⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        78⤵
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        79⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        80⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        81⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        82⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        83⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        84⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        85⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        86⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        87⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        88⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        89⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        90⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        91⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        92⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        93⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        94⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        95⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        96⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        97⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        98⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        99⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        100⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        101⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        102⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        103⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        104⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        105⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        106⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        107⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        108⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        109⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        110⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        111⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        112⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        113⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        114⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        115⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        116⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        117⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        118⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        119⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        121⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        122⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        123⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        124⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        125⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        126⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        127⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        128⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        129⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        130⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        131⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        133⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        134⤵
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        135⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        136⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        137⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        138⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        139⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        140⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        141⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        142⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        143⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        144⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        145⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        146⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        147⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        148⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        149⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        150⤵
        
        PID:2616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        151⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        152⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        153⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        154⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        155⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        156⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        157⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        158⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        159⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        161⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        162⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        163⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        164⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        165⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        166⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        167⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        169⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        170⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        171⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        172⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        173⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        174⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        175⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        176⤵
        
        PID:724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        177⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        178⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        179⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        180⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        181⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        182⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        183⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        184⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        UAC bypass
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        185⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        186⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        187⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        188⤵
        
        PID:2944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        189⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        190⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        191⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        192⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        193⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        194⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        195⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        196⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        197⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        198⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        199⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        200⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        201⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        202⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        203⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        204⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        205⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        206⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        207⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        208⤵
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3FD19852
        209⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3FD19852"
        210⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecoIQUUA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        210⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmsAQAYA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        208⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUYYYkMw.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        206⤵
        
        PID:2508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        UAC bypass
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEQwksE.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        204⤵
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        UAC bypass
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gksMIIgg.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMQsYEIg.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        200⤵
        
        PID:2364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raswEgEs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        198⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySUsEEgs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        196⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgIgIYQo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        194⤵
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqoQgkME.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        192⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSckcMsc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOkAoIgc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        188⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSkIswsM.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        186⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueAMYkMo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        184⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        UAC bypass
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GioIYgsk.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        182⤵
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmIMUMow.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        180⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKcAcwgA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        178⤵
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEQsgYYA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        176⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umwoIAYo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        174⤵
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmkosIYc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        172⤵
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQMgUkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        170⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        UAC bypass
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOUsoksQ.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        168⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMwUwUsI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        166⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiwAwcoI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        164⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        UAC bypass
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCYYQYgI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        162⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiwgIUIA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        160⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwkMYwko.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        158⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCsoUoEw.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        156⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiMQIwYk.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        154⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuQUAowA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        152⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkgoIEkU.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        150⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgkwMQgo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        148⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQsIcYYs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        146⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmcAgwMM.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        144⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOoQoQwE.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        142⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYcwwUgo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        140⤵
        
        PID:796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tssMMYsw.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        138⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asMckIYk.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        136⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYIokgAg.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        134⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kakYQIkc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        132⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuUkkIEk.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        130⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juQQcssI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        128⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmMwMkos.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        126⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuIcwkoc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        124⤵
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCUcIsAo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        122⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGQAAgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        120⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSoMMAUw.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        118⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyIIUwcE.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        116⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYIAEcwg.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        114⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmwMgcMs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        112⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAocEgAk.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        110⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoAkkAoc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        108⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WssMkckU.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        106⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcAUwQAs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        104⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaIQoUAs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        102⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwEgMMEI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        100⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUwYkgkY.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        98⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKUYMMMs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        96⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsYkcgQI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        94⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isYYgkIE.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        92⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WicwcUAg.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        90⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOAMsIcY.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        88⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuIUUoYM.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        86⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeQUwoks.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        84⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQgYYEoM.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        82⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsEYYQEI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        80⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mycUUwYM.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        78⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgkcEswU.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        76⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckwIIYAk.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        74⤵
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwkIEgUw.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        72⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCAIcUkA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        70⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAwwYoMA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        68⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\segEEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        66⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMkAUwcI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        64⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySEUMskI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        62⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYcgcwws.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        60⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liEgIkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        58⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMkUwkQc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        56⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYokAkMM.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        54⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSIwkgAA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        52⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQgsYsAo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        50⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BscsUkEs.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        48⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGwEgYsw.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        46⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQgwYUIc.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        44⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmAwEcII.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        42⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSMUUAgU.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        40⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKgcowYA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        38⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkAAQkMA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        36⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BogkwooQ.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        34⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCgIEIIY.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        32⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAoIYEQw.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        30⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSMYkokU.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        28⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGwIIUEU.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        26⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZikEMYog.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        24⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwQwcIMo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEoUEMgo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        20⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcAockEA.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        18⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckggQckI.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        16⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKcEEgow.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        14⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEoEgQAk.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        12⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIAMswYY.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        10⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKQIYgAo.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        8⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2152
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3132
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3740
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAMIUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
        6⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwUUkwck.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4076
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3336
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmcAAUQE.bat" "C:\Users\Admin\AppData\Local\Temp\3FD19852.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4568
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Modifies visibility of file extensions in Explorer
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5028

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3552

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- UAC bypass
PID:5052

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4352

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3124

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4212

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4460

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
321KB

MD5
e1449b5ffc14bf48d66631db9feefc24

SHA1
407aac918f89a079472cc796f4184946348702d1

SHA256
7f7c3eaf73ac7e8f34cf67aa26df080c987f13bfc773c082b6085214bbe93a02

SHA512
2a30eb2fd30da622846039aee2a100caa0760662172556e629a71f45f9b4960d1eafb094a673e375f6e646b2703bb038950b56a4b26dcdf4d0f84362b4e08ea3

Download Submit
C:\ProgramData\qWMsMwok\vkEwYIUs.exe

Filesize
186KB

MD5
b259e6f2220a84d9046edd01c4188dda

SHA1
270da1e3ef0228b4e595e54e61a5133085f1cd3d

SHA256
9bec9cb6906932a6266ac1a022419e775383840e5686dbb27d1450220738a11e

SHA512
c95aa9cb91eedef2cccc7c4a9dedf774381d7163df6b590430a7db2f1bf69369bbda48b249e1a369b18d65a1d07294c01a063aeeb8b39087630672acc66384aa

Download Submit
C:\ProgramData\qWMsMwok\vkEwYIUs.exe

Filesize
186KB

MD5
b259e6f2220a84d9046edd01c4188dda

SHA1
270da1e3ef0228b4e595e54e61a5133085f1cd3d

SHA256
9bec9cb6906932a6266ac1a022419e775383840e5686dbb27d1450220738a11e

SHA512
c95aa9cb91eedef2cccc7c4a9dedf774381d7163df6b590430a7db2f1bf69369bbda48b249e1a369b18d65a1d07294c01a063aeeb8b39087630672acc66384aa

Download Submit
C:\ProgramData\qWMsMwok\vkEwYIUs.inf

Filesize
4B

MD5
afbf46dc8fd9e69ebc0086f0abe1951f

SHA1
a987ac64b8b08f319795879948508497931d62a9

SHA256
de8b096edf08abb4b10cf5b8ecc77dfca10385eda103029f0ebfc02264f91e91

SHA512
a756d5fbba3b466ef43c4fcdbc0dd63c00d4fd55e10697a9ed5cccd7898e318db9108e538e0a49427ec26a87c822580663f91013101b67f48a9ea5dcd8b34cd2

Download Submit
C:\ProgramData\qWMsMwok\vkEwYIUs.inf

Filesize
4B

MD5
ce9ddbb6245f1fc4403158e9a6ca7af7

SHA1
7c2eb0e9cffc505679c13090d051d72ab8e12080

SHA256
fc48277482ba1b11108e0cc2b49ed57edb62e6ec143688403aa0c05f02f4ad4a

SHA512
ba53f578e2209420c783d0d5251968ba44ea73c2c42cfdad46c102a6380275884490cf60455b1e2ef90a3226cad99838ce7ca514b637bf82e356123d461148c9

Download Submit
C:\ProgramData\qWMsMwok\vkEwYIUs.inf

Filesize
4B

MD5
574a451cd6a438dd47e1819f10824ac0

SHA1
9bc4e7157e96f834c2c5b9b4b1faff466c0f6ce0

SHA256
d2b2a742acfaddfacb071941f37eae811078584dab6bb5bc9fe8f434cdc19671

SHA512
7494a971b7a30ec0e82da14105bdf35a23eb81aa8a843d39494637d3076446eff0edebdac038d39e942c3c661bc8bed55abb4178d8641af1a163cbb5f5665313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
560KB

MD5
3961e1bcf2cfc76f3df647d77722107b

SHA1
db3f0db8a6e57ee65d87557fc9bdcef97c762d7c

SHA256
edc4abc296ea6047751a8d7544a2fec708808dfb3ced04f17c7f63d57500b7c7

SHA512
4e1f9745052d9bf6455f38fa113e6dc15e424ffdfd0b5beff9d7bcfd8142f4435afaa1dd43f6f83ebc70ba721a9739f41f740a990fd905b5d27910c65916a8f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
202KB

MD5
8536fdfee482c27e468a4125a942008b

SHA1
edfa84dc673d6f6766bdfdce86ef939be59f4c66

SHA256
386ea692c1e62ca89b5cc3950ffe3d40a09d4439632cf4a3953c2652ef5a0171

SHA512
86bcc254a477c12abd227c14941b9add76fdd97313f9b7fbb1777b7a8e4126e3770b19f07753658a737ba056d57650feca11116451cc71df1a3c85f51680b2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD19852

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKQIYgAo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMUw.exe

Filesize
272KB

MD5
de39a2f717ade7b1176beda11359ab74

SHA1
a802347118e309a26777e4484aade5c17762c880

SHA256
0996f2e9e16f0c5d7b5e927036268ed5af9f794de283cc1c6f84d138e8bf8396

SHA512
fef039c46b3f6e42cb06f9440ea81ef918ea7f18ee101a05fd9ad5aa41539807a3d7386da8aef0f08d58274e8d92f80393c157a06d9f6070f63399c065cae764

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkYi.exe

Filesize
197KB

MD5
b371edf39ddd28f8f1eb03bf918c3337

SHA1
6de2b988078bf78c0d4f098632e4a745789a4b42

SHA256
3d35e866eed14c1621f38854aa17802d3d254bdab0ed63e770e5313cce1bc1ca

SHA512
65c825bcae959c8c7d34a4b35a0705c01d0bc158a76706bd2808082c7c9b1144c63f704fb8d45f441b5836afa5f640c0192fdc89e67b397735272c7b11497add

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bkwy.exe

Filesize
198KB

MD5
a41bdce737e3d0c6e2907e2129bc47d7

SHA1
da599a275bf88e73323c6d1568d544147935060d

SHA256
46373d86da9e2060d800c6ff588a3be715eac021284945c5702c1290cf3a1364

SHA512
e5f51b55d58299057fb760dd2d396ad03356dc01b737273761af1860241eb7cb770d0d5117047b6fb4950f975d432b12612e12bf4dc1d2c0e88453b56a485c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\BogkwooQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGwIIUEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUAw.exe

Filesize
205KB

MD5
4e87ca3338b1340d8d84e8c82576bb5e

SHA1
4ee5a1c656ff919f9b1fdae9c8589c9d6547644c

SHA256
d76b330206b0f874ac50b94daedb17d5ded7c1fc9b4a17ed06e39a9ebbad37d1

SHA512
8db84a1746cc67bc36a596adb7c97842f0acb792b74a42c9672f7c0f2047be64cdc9656269e1fd8c9259229436527086992c4527cab1995dccceee98b346a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUke.exe

Filesize
210KB

MD5
c6762fded060d685347e52a512dcf29d

SHA1
99776669e4c97fcec820ba5d4382c60d6e3365e3

SHA256
4e8df6d068a6ea175ac671e7cb36e655ababe654ebba1232bf1fff560bd1f14f

SHA512
a795890ef9cc513fa5cbefcfd4a7dc96944688cba752e54a9784aea7c68523b50bb9807edbc298ffc702ff0cac12d955b98e6c3b10b3c47a9aae6833241ec738

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYoy.exe

Filesize
195KB

MD5
9270d2c3ed697189f56145cdc01942c0

SHA1
c02bac4b478cc7b01466ba35202f174a0722360a

SHA256
957746cc6e1be4cd51ca808c7bd2613957a030542c7e52e1f21babb63178de56

SHA512
1ea8c83f35f33dd66464fd69602e4282ff8d7bb80dd7385ce324637ff7021be08f403e51d2e98d8147178f2dc74a9520aa3b635bc1762dd2d51a12c8ee650f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccge.exe

Filesize
204KB

MD5
4c711b2125f19ab475dc902e89d92a14

SHA1
bc2dbf0bb322592edc286a69c7edba2b930e3983

SHA256
c771cc7f8e96d9b25523cc84e59095b68511fcf157b5c84c1ddb7746f980f0f8

SHA512
4e93cf2fa903d55b06d1d57a44cdb5637c64a46a15b94a7333ab5c335555fe1a960e2cd885d8e512ae7a80c330bfc047c6cea621965eceee7e749b1887db0dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsYc.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEIq.exe

Filesize
1.2MB

MD5
25a1ff7cd1ed538c36493764bb5a258d

SHA1
454f84c40f6141609fcd37657b103390568ac43c

SHA256
65b2933b65484c6b050f8561d951a50d9f9f851aabe3451c3d1d9107418b1609

SHA512
e6f220b183a13f22ceda24de9254a774f790e5b0173c1f21db5ade7ce789b377271c632e2afb05365eca39dea60d53ec0c54b3e8c8b36e761caf5c393fa1f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEoEgQAk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQMw.exe

Filesize
813KB

MD5
0446ddd3f6bc40b84f31317ae40ac75a

SHA1
9778ff2e983b11c9cf50c52205b3306efe4ff2fc

SHA256
f0221792e653efaa4919fb253bdd141377b1d399067e162d82bd2082e1c07e71

SHA512
d7624b67ace04859bc8d21cb50cba6c753478e9c25a10fd359bad0af0ec2af12a86b572a08f327ef6d7c459c5f7cf6a370d0b11c297f20eb29f7d5ccce660531

Download Submit
C:\Users\Admin\AppData\Local\Temp\EggY.exe

Filesize
309KB

MD5
95d99ec83408f65e34b6a19c7325d4a5

SHA1
4e43153c1bb4935d7f6468df29b3917bb1407dbd

SHA256
0ca88837ae9d0cd497dc2ca13176254bc22e44691a7e9d23fac920c5158ca6eb

SHA512
e8e0f796c6ed636f4a802d06d9555a72af46b3892a5fe8568ecd879996a2654ffa0fa251b5938108837dbd0d50c1dc6b211dd7d1450a83e7509d360b7e069576

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAsq.exe

Filesize
783KB

MD5
93d9cc6628b71186c760e3da0428d95a

SHA1
d3835a15e0889753da858f94b8452453255c8cdc

SHA256
fee8801a786625d854dc38cc4f21b2e19b12c881b84befc43c8bbe9a51f21495

SHA512
036eb67cbca840f8ba5be825b761d474a7630a4d0e770af0ca3b1dae7eed87f838d3c2c2ab8917d92baf9519bb43145367698370987de4844ccfa7676222febb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMUA.exe

Filesize
191KB

MD5
eb81afa38bf69ab0d757f6c8a101da72

SHA1
add1c493649a9dff6814396055ef8b7de185946c

SHA256
aa7f091540b0bfdda4d8c3f36dc7c7596b1b7c1daa35df179e34f969e05092dd

SHA512
24aa37c2c0eb69a3b07f9a40249aa4a85c84ae14021ff6be7cd0d65d50808b02c8f394fa56e488a55f7af1f0797b4012c9e8a9943021e61ea121abba82d2e138

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYEG.exe

Filesize
418KB

MD5
2aef556134016441a42f2c4855d68943

SHA1
a6bf6cdb331eb5959760b0a049645e162080132c

SHA256
e8be311754ca0bb0c3e2e1780c4fc5e0a2f951540f7515226ba2e4bd8250dde5

SHA512
e5e17f19136bd170f9cdaaf43d4300f412e14f03aa97828ba89d6c79523c7dc1a143ae6fde65459abab24a2e02b16eef71e838ec993d3d42f9871943bd971cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIUo.exe

Filesize
193KB

MD5
acc6f5e0f9a1d0f2d71c778da056b846

SHA1
57d28d058980471e820c4f570b2cccf41cd1ad44

SHA256
efc20ded4b8849cce365f7fd641c2a1af5fa47ac22cebca3f25b0d9acbfd7ee3

SHA512
9a4c72e4eaba48af4649b37eb011ff39545aed1c4d14bd64557552985bcbf41f645cb6b062c149967864c3b237385995ae28f6cdda615e35a61121d1022ced9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcka.exe

Filesize
190KB

MD5
6805a7e01a87514aab83a09b0ff3f7d2

SHA1
7a3d5e47f0cbc95d4b8e89464888f92719b251bb

SHA256
6c39c5c55ef3071ea4695a75eaaa6b2523544d9a89031bdd00a860dd62290457

SHA512
de312bf908c30fdddb922b6f206450afa386ec0008a1bb66961e557a8755ba715f3a548d891f6c9891aa4432f12c64f2b42a8bd28b31fee0608df3ffb2540dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAi.exe

Filesize
226KB

MD5
6999bfaf38907b85a7af6c69951d6f41

SHA1
cd00c0114e2a46f684ea21e842aad77e954a98cd

SHA256
8e2cb43fcbc93edc7888546589080052c9a86469845f7adaa836737513518e1e

SHA512
0216d75eca4e8d36d1a1f353b577f747d67f88964ff49844d6d89d04a8c226e784625f35dc7d92617051e46e0b7c18a0818ff1a5865c1accbcecb24a213e1843

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgAC.exe

Filesize
194KB

MD5
d3e03493aabfea1cc7f08eca4a7f6817

SHA1
c5d927a7d9059bbb1ee880ec493408a6beb061d9

SHA256
e64cdf2afebfeb26095eda4751714a052bef8bca29ce827bc254c6a7076813d0

SHA512
544a2c5f14407263019f1daea28edd333cfc4ad19fe062453eff29487dc230ec979e5220d7a8a3f6ef3dbaae69f0bc983b8f0bca21f9a7f8a3406e6c0990df1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwoK.exe

Filesize
207KB

MD5
2a96297fe3795c2d7e36e54660711625

SHA1
78f023a8391fea8e070b75264bbe34ae4491c79c

SHA256
d741b02e53dc9e4ab8be29e0d813d1772db6c18567eb010194ed0897b2d12717

SHA512
76f5ffd6a608a1947f32564f33d76f7dfe6434a0d93733549bdd8d072461758fd9cb6cff3e93a53c1497fa2f435f0316f2bbcebbd17f626a92eee4d4b6ac957d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMMQ.exe

Filesize
323KB

MD5
76c9b716464818e4cbdbb4d8310e52b1

SHA1
e0cc3c069ef4c374b7d9a25814943d33086d69b7

SHA256
960d873344dda1815fb90307be028c6c90da0c08a92b045854beb60ad7d658bf

SHA512
6cd4349c2ba0635e4e67cc82552b513121542d26cfd63c8574749273e26ceb581e62fc63c1f9091a7713c838a7f26be3c431091e51777f8b2f3067343afbf43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEww.exe

Filesize
191KB

MD5
73d4e3d9cd64abd110b93ec59cfedb20

SHA1
b005958d4ff8399674e9416cfdcb5200090fa6d4

SHA256
f1423eec7ac5a2f59d7c80839f5b42d43aec88b977d0a0e2626a540837b3b2fe

SHA512
9c17434e02bda562b590a18d1fbc0b7b6c6ffcfb8377e7d6db8a1cc5092bcca8dc5639f38689dee2238ed3d7864723635e1bdfe675c6b3f702a2b323ac768beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMUu.exe

Filesize
573KB

MD5
8ac6f544e8b8e732e446fc562113dd28

SHA1
feed6ba2b5e96a67886ddb08228c52343702767c

SHA256
840b5fcd824acda8b2438c60167e13217949ca61b5a3a0cd6b61d118311faafd

SHA512
02abc13a5175921ad6bdeedff9588494893b0b21f1d3c4ba3c340f36ccb38805e94cb3446c2593b2173220406b3ed367e7759b26c520b62de6210396e3002811

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMoY.exe

Filesize
215KB

MD5
f3ed8ac67caaccd6982e41fda98161f6

SHA1
ccb7a4d2e6cdd2f4ffac70ae4fb4d521183025b9

SHA256
e51a7ffc1411fc50a08a6027f96b01645c92e99cba7c7233f533a7e3b4e61249

SHA512
8fedaeda3d52720d03421af5f84467a6e533aae31e5a3530a5557f2ce1acbd490131fe865d483c36a82a133750658fee5a32d42423e1106158e4405b0ba37956

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKcEEgow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgoc.exe

Filesize
211KB

MD5
b6b6cdd16f5bf2bb5024d55dc9012005

SHA1
74f3923f505faa0938d509cfbfa6a62d37acbc63

SHA256
01a120a8f689c22f0c2f75bf317d6c5944c8bad4ddb98d07c9fa67d71d073a57

SHA512
10c7699fd6d29fb83ec790ee91fb5fa2d16cf5c09c2b4988ed4f6f6936b2717bf9ff0f02a890dfab1615f61b720f39530d8542e885323031b56e905c291e1ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmcAAUQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAEg.exe

Filesize
203KB

MD5
bfaf02e66c2dda31a3df0e0c2a8e8744

SHA1
39876b2c2078ef694c3eb9d0063bd97cf7d01d89

SHA256
5770d765736a5ca191ca7fccb44b2852653f732a9086638f04625017940724f8

SHA512
e4ea8d472ac82394783eda6c00d75bc929e37bcb76a8118be020315cac2f1346ead8553f9a8f4471eaabf2c43b3fa20eaa385698ef76f9c53c9b32487fbdc97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAoIYEQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEM.exe

Filesize
180KB

MD5
39a5b6ebcb4dab96ebecd5ce2cf5a617

SHA1
6ba63580f764298e000728b63c24411195ef0d2e

SHA256
02eeba45b55dff0f428ab80b7431a57af8bb3dae511dd568eed10e6e1168e423

SHA512
6fc0ba22d6a73cd9558bf14b74f990178ddaef31f24d9a37d4730138e450e51aa4d43ba114a5d607da25cb3a140e82806a77789a6a9f7390eac4cb7a0e5e5b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkUY.exe

Filesize
186KB

MD5
9fc26764d555c795a966fe2ec0879fd9

SHA1
79b86a264137a73dedbcc88d15bbe7760abe24e4

SHA256
f7ee967ef0e9cf42dcccd13293586fd32839cd24a0258c9b7e96290a7c5d3fdc

SHA512
5ec16cecbedb474bd489ebdb1c66f11f1b8ba74eb96f45a3c2f6fc6b1f76bfbd3fd5831da3d1b9ddaa1ef819a6a5e980038222bceed40c7396f6073d8a8cf34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMge.exe

Filesize
191KB

MD5
466b401cb6c29fb12d6f15919c8c7dd5

SHA1
d46c7ef99882a6498a18abc5b874297caf9a2117

SHA256
5169f816a6afcc246b0d8cb0e7c3e3db79cba42c7e2efc0890b9335c373c3dc3

SHA512
cdf971f0ca51fb6ecf1c6a82e4c75f7bc00c433fbbf128b10faddd12beff23ea0a6258f0e2f9cef1ad1bec34e50e68c0aec65388efe508d643b613b14a179d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSMYkokU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oosk.exe

Filesize
623KB

MD5
1337ae95fb21b131f572b97c8dd5809d

SHA1
5773290637762b48d1aa5c633a9c6a9f92e72584

SHA256
b68a5ebe053ed5b9017c55841a2763937c614a57bf6c99ba4028502513eda251

SHA512
81e1a5bed1c8e74189923dc4c97166b449ecca5e0fef0b7c8dfe9f0ec33544220f00c7bfdc1bd5a3806c81e4b32e5e619cf3f2269d2c1754d113c7007b514c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEoUEMgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgQo.exe

Filesize
191KB

MD5
226013837cdc2f5e98a1a41d8c4bdc39

SHA1
3c346356e4ee9c46f56ba2bbf210f8b33f3250a2

SHA256
362d07bee3c78d5378cda91be3806d828eb03ccac0f0c011eaa2a0db66d95177

SHA512
42b04ee19481eef9d4771deff945025faf93e722f2377b120d969e52fff9de436490d4aa1ada9ac267c9c516d50cee48e1904f36566716aea95a58d6d2f6840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwUUkwck.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMAi.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgEs.exe

Filesize
228KB

MD5
14d1d5963464de539752b3e5e10d3271

SHA1
3cd85c754b954835cfcc04a40bd2d629b997ff98

SHA256
297dd74b08d44b663f105357e8e7b801fae01f8da01bb398c2edbde05a4151c1

SHA512
26c2319c9d1d9b3404d08875844f64726170c6c9d6dde39a20f656c2a2c78048d2768cb5da2ecfa656a7fb3bd799b65a9ac5f01540950d70101c07925017e082

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkEO.exe

Filesize
640KB

MD5
1598750b5fcd480ea65670217f95f741

SHA1
582aa0d94f993df9f210e685268d557d04998dbe

SHA256
591ea69bd3932080b17a6d22a37cb8f98e5e8a1d5b16ec996d579d7d5c902287

SHA512
64b5aeafc2c71426bacaa74d29eeb28c21b7439bda46302b04ce45ab43b5e3ef6d8f800b38646da698dced50c4304b5ac2675edc9c4d3cc29537f313efa756b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoMY.exe

Filesize
207KB

MD5
961ae9f8403abdffc47071d139845a92

SHA1
13cacd758464e6dc1faf4417cb519c0c08e26646

SHA256
5cdfe600d5302dd79d40e8601e8cd79f2f7b9e9ca00cbd0ba4b36cd242e27acb

SHA512
ffb4ad3d986ad2716b1f894c237ee4c2b856f6ab2849353194f0f63b0a0f6e60af55ab73cd53722e2bbb969213c1b23a377b4ba884751f9b6e085059d8556385

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIQ.exe

Filesize
194KB

MD5
ea026032bb489ddf73ab33741c7cd8f2

SHA1
2007c5f985b233dbdbb34b0888df3837f56f16bb

SHA256
9e5eddccde1398dd9885ee4fbad267d0b70c809d8ec68cb975cd8145b24d05d3

SHA512
cc2a37d50fa467c7d4ef33e2fad48e46b73c3addcb334a7c158bd0ba1828c359074f2dc9ed7c4b8edab5f7b2360af556f1f08f5930b6c7e91b1b77a13be14227

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUMa.exe

Filesize
210KB

MD5
69b937b73b26e3e44f2545bab694f21b

SHA1
77171edf54dfd523225542d6294c0d4fce986064

SHA256
0b2965867af460b5a95b119b0ede7896f38348a67393b0bcb0ca0883c0b13372

SHA512
beff2911ce44a24dcc08dd48962d1c997b351f33cff14b8656a48b4fcc5f93fffd87ec1604ca650508890faa15989b749df8ded55c7125ac06d789bac262d432

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMog.exe

Filesize
202KB

MD5
e6e9e008ed8e51e11e5ce0637b8442a2

SHA1
067d5e9f74882a7f5bd697b35a41bc51aeae9cad

SHA256
761eeb7bdb0239a654094319bcd6d2c4bb8d03d9695fc8fa58ae0d14cf8939ba

SHA512
cd8b3872f524dfc55bd04a0609b335a4f5fbed3152a3b9727dd94eee20f859e34da9e0d0ba2c76d439907d0c396b62cd9fa4fcca4f239c713bd323c931123269

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEcK.exe

Filesize
201KB

MD5
669b840cb5c1095200376beb6827f15c

SHA1
f267fee379dddfd1b095afc3dc8af39a883b4bd8

SHA256
1998b80a64ef331d84d76da56502e73fb63f1fa585fb1544d423d51f4eb3103c

SHA512
9fcae8db4870829fe8ad90665c06349e966e4ac10681a0aceff0f147106de1791680efca1e985732d6b964c8616a3913ae7a1d89807b0863e12d6d16696f41a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIYO.exe

Filesize
236KB

MD5
8b91b3f30aea6cbf62ec993eb632fed9

SHA1
9327f941dce88da3794c8d97264d41e9e5c65761

SHA256
63aa201b7352beeaf5d54d89e5d7e20edcc5311242dc673b758cc16c696c73bf

SHA512
362ffd4916fa73c576f8dc2044d49224df5b8851e77d7f0e1ccca2bd1c509994b777545094b2e21b5e8f2592d41485189be369acded24637317b582a74e44268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwwu.exe

Filesize
196KB

MD5
d4590cc719216ef04b56b0bb2eb7704d

SHA1
c2c6fcf2206fce85a79fafb9008bf39be9ca199e

SHA256
afd0a63f61406fdcfd6c2b7a9dc98290f64d283bd810f06b7b693ffd7f3a80b6

SHA512
89ef505d8312d408268a73da64c49f46c4d2b20ec5a4b7f4399fcbc188ae57598fb0ec22a1c7ce1ee0a05a1741b76c4e4a5f11ec1860401dc0e878e0dc354f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\XccA.exe

Filesize
196KB

MD5
68f57b8c9c8ccebabf4df56817d91aaf

SHA1
055632ae01e7cb2a2836dbdb2a9fd0f91ad2247b

SHA256
a6f16261bf673fb1aa700c3e3d7ea47ca1c07042413ebf5fe5aaa09710d8e45e

SHA512
760b8f771e0cd94ac2b54ecf3657a2a46c0dcb04eeb6d7505afb605e8f275dfa8c614eb284413fc8259ec592d190b09fd6042bd6f65cc2c89d35b822fecb142c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcoA.exe

Filesize
194KB

MD5
e7dc4a716c067da942f28e64554c0a1b

SHA1
d0627f84674137e96ec9aa21f56672b21af348b2

SHA256
da6348db7571348160a05327c7e5c57ad3d14e7c618baddf13e122ae19f8bfea

SHA512
f74f8f1cf88856d3bc081dc6465f54f9a6791cf02e810d13def611b01ef7388776be76323f2ee33b7a498a81d81a63027484803339ceb3b6a52beb384610ce5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XssG.exe

Filesize
637KB

MD5
c11014d71b6bfe3867df759695acc4b1

SHA1
ffa5ff31e26a279e337ef954c291244d10069630

SHA256
fa2620622232c3cd03b437342b176b18b808d490d91561398976f31656259a6f

SHA512
dbff2f736d968042301093a07e92ecfa5335cf5caa24b1c9a81b8c727723dba88c425f1326bf1c3274bfb8536b4801a9e8abc3acbe165766f8f66a5d16ddef86

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwAQ.exe

Filesize
180KB

MD5
a6efa735239e3f500a46c338e3295835

SHA1
dc7f6912ce16b118eab8d5115597d6dcfc62ab9b

SHA256
50b89a0ba2727cb8b4cce9dbb2c379f9dcdb232399f45b6b8d50b88d788e48eb

SHA512
042fe4c642a2a2cb055589afb58df823cfff7f5e31c09925c996c5ec01e8204baa24aa781e48f169f5075df515f3be1fd5d7bfe83764c190e26145a334e8faf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAsu.exe

Filesize
195KB

MD5
2fbbe914aa9deb75bcae5e0028fa328a

SHA1
8b4f2864ce90c118ffc5ef921866a9deeb8c9913

SHA256
f39a0fa3f1a5cb1296072bf34e570165ae367cf09b29f2dfd30c9c5ad7510a19

SHA512
7abdb2fe9723bf04e1f77ef9f00bcf69e1ebd38825f29055cf14f7551f5a89d2de34d6bce46686bbc31453553d107d68b77565b24bf5165cc71a56dfa9aad73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIQi.exe

Filesize
402KB

MD5
28d49832af8c8197e83da220a122abd6

SHA1
77e87cdc7d928e7cdad97f40754c721c7616db12

SHA256
1c7a56cb6f04ade10ee23d727d104404878438df39f6e99d8e27a3f27d389f38

SHA512
3d18ebf978b4a566a75606d43035660e5722b8853af0de7ead26405c1e3a925f6bad25b807e404974f10bdb8eb4a961e2df9e180119cefbe0620f8d0a5783015

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMAM.exe

Filesize
192KB

MD5
ad3eca07de8fd6e13d86a3d745bcecd9

SHA1
942151060b7f41875b4d07520a49d475673dba24

SHA256
14c0dd063a8751307b2aa0594c06c4bd2719c8ee65cf59c3577026dc210c9f91

SHA512
9029d749ab1bbc08160aff53351e7eb5a5e4ce6b2a0b3c961bd49fb6819bedd66b53c0d4707ad2a0b398871bd393a1fa49ea0d5aadd0e24a9cd0559a91e7910d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZikEMYog.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAQC.exe

Filesize
201KB

MD5
15654178830352f4f7ea005333f7500e

SHA1
fc46ac7f32882a2f6a3784a7bea6c2ae801d3b40

SHA256
1a80b3ba35332766967b43fcbd08d8f02a9c4f558045e6da9724539272b5efc2

SHA512
587abd5a5714f221a989292b9d22e74f422e9040278ea4822f3bccfc0b98c3b0d04beffa4bf5f768f669ede640d2af0c0905a57c52ebe86205356246d0992b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIYm.exe

Filesize
626KB

MD5
9d2145756fd6ba7da4289e4356d7269a

SHA1
173147f5094e9c4d67b5a8e95c44b757e598a7cb

SHA256
cb6a9c5dee3701fb3852474b3824af346ba7b01bc977f4ea59716fea1c6080e6

SHA512
339942413028a001c1eccb279390fdfc77e53a5e7b7193faba8226a845dc4081ca7e7070d0ba80adbd8efefc5d98fe4ed19f38f5c302bf594b71d2e5087187c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAci.exe

Filesize
198KB

MD5
124edbbd9f2e9c0fd8b9c534827a77bb

SHA1
495cc933a0e63793c7e59284eefcf023c37608f0

SHA256
82fe61ea5f2f96656b22bb0c8b7e42035e01775e48bf4b7f627e9e5e8ce2babe

SHA512
77ac678d778085c65fab03b04f10396a266683dcef9448a850f01d039b5ee811a79cbe4b542eb325121d910ac004886fe9059ef30526cce725a2c595421f8d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAoy.exe

Filesize
197KB

MD5
df31173304849edbbd52bd83db90ba96

SHA1
68f1244d2757727878415a169701b912c3449278

SHA256
1473ecc9f6fa9f0e00000d79a2f5db4d62578710d521ff1889e950c1b5c63f18

SHA512
6be63d09213d00636d743d744ed99062d2ed75998530dba470475b02675cd42dbb88b226cbfd2926ebcbf0d598294e541d8e700010e87273d05084ba2289d7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckggQckI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQQC.exe

Filesize
506KB

MD5
cbb362b74acff358a3aedfc04b900f88

SHA1
439e33411a5e61e9e6a2de4caf4228004fae61e6

SHA256
cdb89138d7f75935902afdf06e2e173d4af9c20342baa6a78114997d28d407e6

SHA512
cf8f11a43197b5f50895f5ee24c472df94e076ad3335f90d18d9e477a0d83bc360f4461e31c5e6dbf5ac305a87e5831464cb13e564dd15f36b1ac7e53159eaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYce.exe

Filesize
198KB

MD5
f7e2a5a4914f90ec8abc7be6a3ba21c1

SHA1
14c0834ffa38aaf247521181523c51bf664359e1

SHA256
43d67885b3ae381d74977160f48fa261d11d72e438a82237e8ccb3aa41352af7

SHA512
9b91109f4e4dff05deb17a96bea7e36d991f74fcbc6bac91068aaed547682c4538efa7e9e470b5382126e654d1641f84f65175f2366db5b1e5ab82061542a78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgIQ.exe

Filesize
205KB

MD5
211ca95bf516cdb65fd2134105146a29

SHA1
306037eac467d66ba7f130afee9d5b0529525fa4

SHA256
7329ab9005c01b86fbab139bee95c7502920ca8bb9e422b3ea5dc324e3058a46

SHA512
779cb0464dd8b74043f9007c7febe4350c37ecdb75c8626dc434eecb63198b8d5ff2f66ff64ab4dce4ce089acba3b7f89a21141e4189c74735b9f59e07ff63af

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUce.exe

Filesize
522KB

MD5
68f30545adbaa0649f8afee9e704d329

SHA1
edd15b100d4c3a62f09ced5bf771996898cfd331

SHA256
dd65793c2fabef10bd37abeb7cd8f4f0eedda04ac187c02e5744918c34a9e202

SHA512
2333300061035a4a4054d1c9942398b38572fe0e04e7cbc49620cce35a005842508a1a6cd3ea91743387fb23a10e7a96760e3ff164f21eac2e390525a16565f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eccQ.exe

Filesize
207KB

MD5
436d383dc2cb56588e96d5f31bbbc402

SHA1
f5d1889f94c74e055980d5334d7d7514cafd6b01

SHA256
97726ed8edae355f5e3a1aa28ab0fd8c10f1476b6a3cfcdba822e8a21a1548ac

SHA512
f0e2fda4fa356b7cacfdc2cafe009e2a679d2dc9b66ae2aea6275395a81eeec88e5ee381389800f58e4d1962c72167f2e1fd0a8ba34b5de396b1b92a0aea16ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYQo.exe

Filesize
182KB

MD5
c049b400959bb148e3019895ac62208a

SHA1
5ee67c88c719800c5b7a8c6143ebb1783d5b44e5

SHA256
30d052d143f2bd4c18702c6f23a7005a1ed0c5d1c48cb61e84d00017fb121cfb

SHA512
1803aed40ed3e79090a144736cd41b18b2d640481413e534a140a7cab2b169577e4067b131f833be2ddb433b77b64ca7e77a42d6851b08e16385eb196de7fc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcIO.exe

Filesize
200KB

MD5
1fb295495a11e72f07e13b02e073b3ce

SHA1
6c940232f9abcf15173493c36f73b54288da4a68

SHA256
78092fc3bf3a5b86808b5d6e9f7cf9c854b5465b047932d0cb4fa5483c33f664

SHA512
2b895afae09feb982d6285b55396dae67c19fb9bf1186683395684f1314f7e226ab658e7a18d0d02943a768786c14e24670e901c96ca0209727b1cd4b999c4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gckI.exe

Filesize
224KB

MD5
7dfb44a43af6fce37de8a931f29ac0b7

SHA1
2840be9770f409d172353a75b031309aa9f486c5

SHA256
ab8944741f919a0defda68b88cb7d6f300977c2bb2b7e8a3318ad39b46f59e62

SHA512
5f47566f3fb00c8d1189bbd81761857e27395f8deeb99bfd226ae3aa97b737aa4be679e42f136fd90fe660a62367cc332fa870e8716c7ee189613bc4b77e7170

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIAMswYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcoM.exe

Filesize
197KB

MD5
78773ff3f1b9155da3566e09a5e72287

SHA1
88d745fcfcdef04061398e5baad57bfdbe9c6f30

SHA256
67c16aaa54aba8e78c0e60530a55b7565e6d1f20315d1df51b5a1d959e3dce33

SHA512
f319b8aca368b678b196deac5dc4ec1871fe21f686802f2f962bbaad67d26bcb4998e00521eb8d122845901e6042aac4f3a0bfee82c7a61742e5e12d02a1b71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcUc.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsAI.exe

Filesize
204KB

MD5
cc5cabcf703f3240b114237e14d5a965

SHA1
abd46d2f9e419bef9b0d6529f249719e7ae66354

SHA256
84945a2ed9a7a1386cb2709edd62232f0cf345cd12566c37e134e62276365158

SHA512
b20531e83a72a0a6cf2d8650cd3393edcc5219355b157bcc61026ef507afc6725cb3e59608e2f1ba389a4f86defe67ec9fffce23822e9d71a177ce017f64843d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQAY.exe

Filesize
5.9MB

MD5
ed4582d532648cd5dc2bf17484c720d1

SHA1
3d821f3fabf072e0f6e487e6652b3e099ba53306

SHA256
bfea893e89602709c8f3019053b8282ed5ab6a3e4ebd3806e8dd2677d0f7a451

SHA512
dcf37278572efdc268e8af6c1d2762592f1e1c0b7fa113c3cbf2da2f3c932de953d2d961c8ac07945d7b3373f6043c7064b26391afa24a848a9f5692f7135165

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgIU.exe

Filesize
5.2MB

MD5
3d857855628d65d8a3e4d7c6d1576583

SHA1
ff59aa5cb4f2afd200db2bba518fd6a49e28a107

SHA256
2a55afad31957ae99cecf647889265b196ac3951e1ec92309a1c3474cf4289ea

SHA512
aa3070559d4a6b34781c5236e1d5bed0f301ad5ac8f375bd571111cbbbaa1189fff6d7fbe16cf3fb7608f49ba17e0ec075058e885008258ce5be8a82efcc6b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUMu.exe

Filesize
187KB

MD5
efdb001591bc5585092551b4458e87f0

SHA1
6d38253fed658cef8c3319aa199356cb059d9792

SHA256
2bfd96aeae3b4b6ece9c7a9c1d4021067ed6b33c832755fb68fdf2fb79972d5c

SHA512
e41b04fdb92e42401c9ad35a0ce4d076ac5eea787d45145c37de62d2a11023261150a3a0c2367719c50f42452dbfe7f0c9a569322a6acf361a7a8901dff79412

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcAockEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcEy.exe

Filesize
211KB

MD5
523ac85c65f699c08730131ac31ffb14

SHA1
a005ce020a241063c29c438a0250edd47ab5eb3f

SHA256
f404e0a077bf5d7acff938d01ecf07b4dcf44f0a49dcbe431dbb2a44b952d09c

SHA512
864a4007844a0b1c7da3dde25371b6600f9a11c4c0383c91507a072fda1684b8cde5628a86053d9acfe8d78cdccac5210e9a0f62e6f9713529490e770d883844

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsEY.exe

Filesize
193KB

MD5
eb31ccc9a64ab56b50a6e6b70e4ddeba

SHA1
a314677d77f98eadfc495126e0c38a128edf94fa

SHA256
09b9d63589bd2e758699c11de7467136df144cccba206d513638b3690a9d1da6

SHA512
3686de76c71bdd9068a052d2ce9078ae7bc22f06d3a7ab4f8d3401993aeedc7a5cfd3db019ddedf07c9397e8a39e5526d5918453629db264d6f1a83573f429ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsok.exe

Filesize
1.8MB

MD5
f105ab7627ae65c4e09ff9e64d0b1c6a

SHA1
7fefb5a9fc3708627a6ee03034a1d2ead711be36

SHA256
8f8378ef842a315ffebe174cbd8baf744b4dd06e274411c6389a0ad105395844

SHA512
66fc6acbf236142eca42b6dad9005299d114a0c9f83eb3eba917fe6d0d08d4f3cca1f0b5dec3e0e29f892a7ddd87afe39f179f24ecb02d3238e32aed616b3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMow.exe

Filesize
5.9MB

MD5
3069fb8cc634ac02f6bfe1806e35889c

SHA1
93683adff4645a63da66d0aef0896a6548edc88b

SHA256
65fac6f2a7c9da8ee9bee2b2897c84022de2b9bf0003eb3002ab22b23cb89794

SHA512
ec82d37b92e5d2ffd19c3152935fc3e6429be5af1f74dc03179247a86cd968d57b658410f744f1a52e01a07358277022e27c520e1912f985c8904d651829dcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUMQ.exe

Filesize
821KB

MD5
da3e330ce6eb4041fc6351ae590371fc

SHA1
df5d0cc194ca160e0ad1b7905a40cd3d071615f8

SHA256
3894248dcc3f6b00edf3b6b18c07965e86648e5b4ce44416912eeef18b641015

SHA512
bd350d189d0db09779904daeba283ccfcd129c5986d56a8757dd6333db7f9b02684f5c0f164898f0742571d5162fc653e82501a597aeab9e9c85f43030d06ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msou.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwMy.exe

Filesize
190KB

MD5
4ee704f911d6c14deef0384392660bae

SHA1
e8734897e2a0195be3199c0e45ffb350a7404296

SHA256
1e9d35105c5640ce646d38a8734a75a6490c470c5da6cb890dde2d6ce9ead4df

SHA512
7c2a56245ddb829e7e75d685da92eac026e43aba4f770088f143b68d97972e08d5a8c53fabba204aa621cbd9906a726c8ebd8f42738933abe69cfd4b074dd470

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAMIUUYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAMIUUYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMUm.exe

Filesize
198KB

MD5
0e0d7f596c85f2e007e0367d6db48349

SHA1
0d81b86c2baed6e2de7777c54e9a62fd9bf9b1fe

SHA256
fe73faef47b02489e120a6fd0b4bc4713343bdf2b87b0ceab24fe76217598ee9

SHA512
2977b567781758351d4d013c2d20bd56cdbecc5f2a0c94192804b59b17b5159b4a8922531641e2225110d38cc5807907d988f2ab2f73b965e30b639b61068559

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYwc.exe

Filesize
231KB

MD5
27a7051a3af6a00232890367cf7cee80

SHA1
463045f7de9500ef065490173015efe7ee33175f

SHA256
478d2ae6a5e18fa556c8cbffbf2a4040be36302c3edd37d56e8c241c8c83264a

SHA512
7757d2334de19e28956eca55d3bdd6f89ce0bf0475f25dfddb3767df3f5079de469186aa3961d1479c5b28993e76d9709fdf47bad921ccc35464c8658ec12116

Download Submit
C:\Users\Admin\AppData\Local\Temp\owMM.exe

Filesize
241KB

MD5
7f9f5997597fbf1e4dce8128f15bea2d

SHA1
ec3cd833c627c3ec1b65f4c4223ddfaecba45500

SHA256
66b9b114e76c7eb7689d8de77c5e40206f1785915389fb6a744a21e1c215340d

SHA512
ebd36b665e48055ccf8f82203d4acedaf50561839a994dfecaba34b309f94e2984882c38c7832da6835033232e9edeee65f9699a24a509469e457ee4cb7843ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssm.exe

Filesize
195KB

MD5
a8982af208e1335b7d5bf06b7b935095

SHA1
6bed14bb68b6efce904f193949016490e1aa5ad7

SHA256
92f93ec99b5711d7f2dd08ca14a5823f6feca01032347648a177b040fb15efb1

SHA512
c90eb210137c8ab6e0a9c58985183a538cd295c56d9827d0575a764ccbaddcbb441080ed425b16148ddcbe0b0eecc83e57663fedecacd71127092626c4b9b409

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEUm.exe

Filesize
206KB

MD5
f08fb8a8730576a1865e20ab389346bb

SHA1
91acdca558b546d7a553a62e14c37363deeb9407

SHA256
d171bc5d65c7b1ea01a1a7f9dbcb4b7c8dd371c51f26ddaca59c7d58ad36a74c

SHA512
f103d8edfccfb49340f1c5d2c2e3ca85670e5ba969ff995240e5e5f1ad9bb00729a3e8307a04eb0981ed66b4ab92c475280797e0c359f68341910b85fbd43039

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIMG.exe

Filesize
972KB

MD5
12933f973d01b99091a774859254f762

SHA1
a9cc39aaef497ce41b51b2525c787f93ce2955b7

SHA256
b627bbbe407de0b4b4f973fc65a6a24539e54357aa35a09b9682ebdf09d80f61

SHA512
df78b613e9025917cde20e600b63f9a260afba6d4bb563af904b06e91e4e34407e3ecaec24923121f5c01d7fa80f006f22a626620e018503db2f05fa58754033

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsgW.exe

Filesize
230KB

MD5
d25d918432caeb8fb5220211e73dd5aa

SHA1
c61411a63643eb211d417919c5b73884e1cf8a13

SHA256
6bc33d67f724e5e8f4487081d85291a7d6c2493f224f88636a3133cc5d5f5f08

SHA512
caa47865400892269edfd9b78d8a046dce16f81d0baeb5a0279485d15ca79f28c6db91b15e3eb16297361aaa4f98f0d533695864074624f6d78b73df2f1022da

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAsA.exe

Filesize
180KB

MD5
a7c92797d39cf148be73af83473e1e2f

SHA1
16d9cc35311845d85ec80c76e5b269bb58f34784

SHA256
c2999fa144e6f042665b49698b5f3f203a8df2249bf9914c2587d9ac05eeaad0

SHA512
51e03afe499e5ad3f5bc4ecc505c60c409b2d1f429cc7449cf27bc128f1c195a6b6fdce1d259ffdadc4ee534deeaf6aaadb3f93508da684e8ced10a8f50ff96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQoa.exe

Filesize
634KB

MD5
c12a9526dcf5fe66ae1cc7bd941e899f

SHA1
ed3eaa24f97e3dec02e9f04c9b80ecaf3307f72e

SHA256
a9b329b00e6e60e56db9a447824cd6777f8f47d40e7e93409e8b6616683de7df

SHA512
c9e5b6ab9d1ed5a5d624162cfad02e792b4b6d541f47e71375a7004537ede9ea13574443c0d12b7a99c1bab033a3d59132d68a24f73b53d254edfc8dda8821e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rggW.exe

Filesize
206KB

MD5
85f05f9a06ffa9b15bb1e238a8e54045

SHA1
4e14dc81948972d8a4558fdeeac0cd10763e6a44

SHA256
72d7c836b3eefa6b6463c18ec2ad42ee34a53bcc9e7bf136eb98f37445e03ce5

SHA512
a3445dbdfe3e63d134f08746fad79a647ae2d386726b11f1321d6b463892dae76a1eca9d28e68c55b01ac5c998932a630a94d7d8df0c8980f78fd4b9e7ff11dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\roUe.exe

Filesize
207KB

MD5
d8eef6b50cfc928014870ec74670a4a2

SHA1
74816aba30891e399aba5b5dbafcdc6a5f93c941

SHA256
2ef8cf30c65a72f126b0d8bad6c4d86012a17284574e1c069d3037310dd1534f

SHA512
8ec9d641366e1a47e3f0ad7a915674816aeab1244fed0ca02458ab77c6b2d0800c08281b8de9ec1359f22f1ac4b1df67f79e3284028552273fb11fef8abf00a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwQwcIMo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAQQ.exe

Filesize
197KB

MD5
b90765269dc57a49b99061802801fbaf

SHA1
93a8faed0f1b81a07d86cd9fe17787a0c2176221

SHA256
61c35df838231a12f1df104cf56db021188a87252a82d181e69f6cc692a0cacc

SHA512
6b4e6bf24a902a0f3db59a7f7a3c52808491133a18dd1e6c683de852cce99d985f9a06991a2c43a8b7aea9d87528737c225e52554f469e02b43c6b0855dbc939

Download Submit
C:\Users\Admin\AppData\Local\Temp\swUk.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAYk.exe

Filesize
205KB

MD5
6049f7fd2d2864794b195ccdbcb271a8

SHA1
eed1fe1a9258da5cea2d8fe8725d685a8107458d

SHA256
38a2e71ee8ed525544e3aa5f4dc9fc2b006527a1b0193d388c16ef0aa908a612

SHA512
0c8409af94accdc54c68b57f6dab11513004e406712008b3b80e3d8f1639626d85f45ded2ce91ff9d596b5af2403fc630b14ffc156b2f6410c28f57cb91cde01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYEw.exe

Filesize
653KB

MD5
dc5cc2f3de00858db4af2a424b5be3e4

SHA1
9c178811f7e45e9cbc38b0f12efa2a9641c53529

SHA256
2524ebdd60be8d85002d8b5c15fc50f5cd1d70b069604fc61f616cda83c4f1c2

SHA512
6292b4d65106c35230064d60cfac6e707dee37a5bbe8e4da87959f55eee7b97a8185a5865c51dd441efe465e860b1c3b5a432de2c90b6dd9fc401c1cc433e753

Download Submit
C:\Users\Admin\AppData\Local\Temp\tggs.exe

Filesize
204KB

MD5
86dd3867aa1f5d3a6f6cb2ac735fd380

SHA1
69e595db173736e47ff4493093fc969f3ed5976f

SHA256
9098ca60ae3d005fbd297efff6b017047cf3fa648d19a0337972825c1aad1a12

SHA512
8c2e1cbc1df971e5f276b401dc6bbe7e5481bb63a436bfd727ceb9f9396bc0ad7abcb2ed223181ceef3ca8d9074db6461777f57bbc4c6772b629b4356ae0dc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIAy.exe

Filesize
206KB

MD5
e9371f23f894cffa00e896df645ad3fc

SHA1
a6ba58ab4b3b061af3dc063508c967e290c1c81b

SHA256
470d6e78ac24e959427810cc5ace12471a1543c2f763e4000042cc11a93debd1

SHA512
6e5f1de285e71d38788fedf125b5c7d551a295c17782b6646fdd6cfcc706874db333612ae263958d61792df5c5dfab52273f235a3eecbbff79a0c63b801ae9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCgIEIIY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUIy.exe

Filesize
783KB

MD5
81723fd6013e498821ad6575d0fe18bd

SHA1
c2b063b868aef7f286f4bc98e7639291b47ab29f

SHA256
6bc51729f699c9fa6deb4223b9b0be575947cb85ee2a7d49c378fdcb252be1db

SHA512
41657b000a7c47d11ef811b23ce0100c1c95645064399c246c72df8758111fc0fa456f7e9c73d7fdd100bbc4e8e4ffbcdcbe6b62012a9562433d14769b922f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcoS.exe

Filesize
5.9MB

MD5
e4b2f136bcc52462a294b523a69aa968

SHA1
b955cc7a58392ed8475f13072037f5c1e712b60d

SHA256
18a83203a73e9443010d5338b6371bb257086541f4540a404cd14cd108495887

SHA512
360021c8ff66d77385d3995f4a1c024bc3025f77cac56b4b1cc33331119a5cc6ed64d46f0c1a5085aefe271c5b259e5c1d3e776a8f2b5d867821ae4608b49b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIgg.exe

Filesize
1.7MB

MD5
83040dc404372ac7e0247671231bc372

SHA1
c11ae1706e05f1fa4a87e470b5443b125ef8e23a

SHA256
2883599e8aa8c1bb35bfff1c9afbf4e496c9b0b49af8c2d3b155dbea1cbf7ac7

SHA512
c784e95705ba75ee9b573780e4e8fac00948156157abd4d5c0c4ab44dacafe443c00a74802fbf72a7a3faca089430dff8e78c6638de1f6facf2d50aff20beaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkAW.exe

Filesize
191KB

MD5
10cc619777e37bb7903fa6d2f5e81d51

SHA1
f4a13a135a46f7740522691a2c43fba91da9c697

SHA256
ac220489c983286c0f1c22daad76811b2f32f86a8534d7fb39a1f76832d7b5c1

SHA512
cea0cd4cba19ec16a9c38ccf90905b24c39030e8b113c70c92249cde695b9c7a3486ef6357b8c07bdb2f3a34c0dee5d78e792bd3cb0874d93fea51dd7f1882e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkAu.exe

Filesize
197KB

MD5
70b83a33d1dd3843412deee60b3aee00

SHA1
4acd32ec4d4157ab25b478c807c3f73d93e1fd45

SHA256
0464df25cf480835a013cda5706ea727a8ad405439ea0a5f76bcb2547a4d659c

SHA512
fdefe6f840d3dae432ddf2bfc01f507e451a08de372f127d90e915e1c9d735f03ba138a1c564fa1ce92aa0d7d5f2a36603d364b08cd4d0d7171301d07c266c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcEc.exe

Filesize
325KB

MD5
7591104d12a26f5d4fdf14d97e3f0ee8

SHA1
9f8e9923009dba3b4dc201dd818df6d919ed0e77

SHA256
7472ac9b2b27e75b07035c5391375088103081451fc3e636813cd06e7a0a47cd

SHA512
afb7f6710c012f4e48d2cd2ec45ac277f0e0206157c50500ebc314093aef54f8f15dde4ea20ee0a1e8b8193253d72dfc85be211ffd5059ad66f364ab8b600f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgMQ.exe

Filesize
390KB

MD5
5ebc369ef16e1c45fe85ce22bf547b36

SHA1
f2d5f3098ffaa74a89f5135659fb22a0babc0438

SHA256
2b5d3594c7d1a5f09aa56c2192d6bca31e4c3b5ff6a8509ca33e306d4c035846

SHA512
79cb3c92c2fffc500e8233e532503a45fb45eb6b6715c3aadc353a0ddac4c7a75992f86bab3990665beaab947a60797cd99096498dfa9517379a58bb8da9bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkAAQkMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xocU.exe

Filesize
192KB

MD5
ff25b9f11bafa3472b970504bb4ff81f

SHA1
5c1bac126b1b775c4d5f94536f5c256beeec4cc9

SHA256
bbc7b1e2b31ee9f5396d6a5178837a768213e4c9963b6720094e176ebcd937ea

SHA512
1162c1a50d135d9119a6fd1cec41df9dd8deaed55968b500e219d9586638d9053788cf3e714a68a9dad981fedb06758259dbda2ba642b0d960bc28a66c1c560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsYw.exe

Filesize
197KB

MD5
c184d033c97f1495bd4965d752526658

SHA1
ff1f7732772134c51905d8f0a3032450081b3b56

SHA256
2b6971f9ccd132e5b18a397753c7c0adac48f2d34f2cd4a2b274c32dd6e73aa0

SHA512
b5d281bad7ded67bfad7bd8437f2fbdfd26dccc703cda09db8766ee528a8bc271d193efcf0698f83ea973ee2221fc67d2456184fdb82342c46198b3d0f83a998

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsQU.exe

Filesize
193KB

MD5
7dc37dac3eb13c9abfde78fafd303981

SHA1
69a4ebf7b728bb182e9b2be74d10d10368dcee9e

SHA256
783b63fefd359eb20deb83cfd05519629de3ab2e1200a29b345ab224a8e2269f

SHA512
07e43fcbbffd843f3d0011dea5660deb1340e6a0481514cd93ab63d7070a4f60ac391f0e142df72391f5b962cc8fd938c19b8d0b4c71748c378262712f817548

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwUu.exe

Filesize
187KB

MD5
bf7b6f0a9be13dab48471e088c0fa9e4

SHA1
13f78f1e4898284f313090b32e1f103ca058cf53

SHA256
e086e08c392e65a287a6682a742f439b6e499110288be9e0cf583cb7a42d5c83

SHA512
df338d0ffd29c69533648bc5190459bde45c550ab69c98b22d48c46d383cbca5d3a7dea599255b15d569af2690df2de5223385d633d27c2d1c127dbe09341abc

Download Submit
C:\Users\Admin\Downloads\GetRemove.mp3.exe

Filesize
666KB

MD5
37d0d0b04d860bbfd5ccd7fd2ca8ab68

SHA1
db6df3afc648e692d787ad68a4a1a3d049b68a94

SHA256
1aa7e2611eb100945255406facb3ab8607c1c3a99cde28f16df9af5c24076349

SHA512
fec3cf56b40a8344815f821e7e27ce8d18dd2b57fde78a7b51c69aae8a71dabb4658ae5a6fc673ec36c5c478610f0b3032c8d6605b461a517e075ed96f6d362f

Download Submit
C:\Users\Admin\Downloads\MountEnable.gif.exe

Filesize
810KB

MD5
af4208df8ecfe0511a5a854ba6462cc5

SHA1
30852d9a125707bdecd26dc0687395f035253349

SHA256
260216933d075e30f589ca231bdd473f2961d38029687b819ae8d2533406dd01

SHA512
e67f023a987318e8329ec1fe561a3a1748ae1cadf5e55133eef639827471cbdc0c8e8835fd87f10bf0f57716d433a96bb4ff47de7108e339c8b3e8ae0e460a7d

Download Submit
C:\Users\Admin\Downloads\NewInstall.bmp.exe

Filesize
446KB

MD5
d700629f7d0c5ac740135d11ca1d776c

SHA1
333c4621288d19859d14122b909ad681d2b0afa8

SHA256
41e91e70531d30668e25a81ebc37a8528b639720864b471d89b21df67502a5cc

SHA512
154f7b5f1b51dfb737b6619aa9d63d3fddaf016515417523f4c7a3f45b40a0f7adcb56cd91ed19b78a9697da26030b7b6669aca545600faf4f6453ebca578dd9

Download Submit
C:\Users\Admin\XMokwsoo\PwwUQQQU.exe

Filesize
182KB

MD5
a10ad211f1603d9b5619df1cd5e7ffd8

SHA1
67a2be7bc108bfabbfc9c57328abde14f196aa15

SHA256
8cd038714d24b723f671620d554170b3cdc298fec18ca8928b13fbb42be0c893

SHA512
f42ad436ba72e1f3e9ebfdd1a8b9f7ea3f74dbed8de8d6d1430a8e5f1d3d9ec5006cd49904e96bc32015c8e399ffe924fceeb8380d5198e3feeb67049e21e75c

Download Submit
C:\Users\Admin\XMokwsoo\PwwUQQQU.exe

Filesize
182KB

MD5
a10ad211f1603d9b5619df1cd5e7ffd8

SHA1
67a2be7bc108bfabbfc9c57328abde14f196aa15

SHA256
8cd038714d24b723f671620d554170b3cdc298fec18ca8928b13fbb42be0c893

SHA512
f42ad436ba72e1f3e9ebfdd1a8b9f7ea3f74dbed8de8d6d1430a8e5f1d3d9ec5006cd49904e96bc32015c8e399ffe924fceeb8380d5198e3feeb67049e21e75c

Download Submit
C:\Users\Admin\XMokwsoo\PwwUQQQU.inf

Filesize
4B

MD5
afbf46dc8fd9e69ebc0086f0abe1951f

SHA1
a987ac64b8b08f319795879948508497931d62a9

SHA256
de8b096edf08abb4b10cf5b8ecc77dfca10385eda103029f0ebfc02264f91e91

SHA512
a756d5fbba3b466ef43c4fcdbc0dd63c00d4fd55e10697a9ed5cccd7898e318db9108e538e0a49427ec26a87c822580663f91013101b67f48a9ea5dcd8b34cd2

Download Submit
C:\Users\Admin\XMokwsoo\PwwUQQQU.inf

Filesize
4B

MD5
ce9ddbb6245f1fc4403158e9a6ca7af7

SHA1
7c2eb0e9cffc505679c13090d051d72ab8e12080

SHA256
fc48277482ba1b11108e0cc2b49ed57edb62e6ec143688403aa0c05f02f4ad4a

SHA512
ba53f578e2209420c783d0d5251968ba44ea73c2c42cfdad46c102a6380275884490cf60455b1e2ef90a3226cad99838ce7ca514b637bf82e356123d461148c9

Download Submit
C:\Users\Admin\XMokwsoo\PwwUQQQU.inf

Filesize
4B

MD5
574a451cd6a438dd47e1819f10824ac0

SHA1
9bc4e7157e96f834c2c5b9b4b1faff466c0f6ce0

SHA256
d2b2a742acfaddfacb071941f37eae811078584dab6bb5bc9fe8f434cdc19671

SHA512
7494a971b7a30ec0e82da14105bdf35a23eb81aa8a843d39494637d3076446eff0edebdac038d39e942c3c661bc8bed55abb4178d8641af1a163cbb5f5665313

Download Submit
memory/944-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/944-601-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-481-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1184-227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1184-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1184-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-548-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1772-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-619-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1932-538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-386-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-611-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3184-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3376-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3624-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3624-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3704-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3704-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3904-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3904-421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4516-522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-530-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download