e8f779aa8691150666aebdc3bd4b57b0dcdf43ab76ddb3d3d673cd3889019088

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c0a17378ed06exeexeexeex.exe
Size

204KB
MD5

25c0a17378ed06242717e69b42b51b8d
SHA1

2592ea2f28efe478ac042edf2c0a8739941054f8
SHA256

e8f779aa8691150666aebdc3bd4b57b0dcdf43ab76ddb3d3d673cd3889019088
SHA512

f6ab5df57fa1de2d7fdf1420aced07b4441e4208035ef112b97dd16b7c367b176f61c13115a20eefb8eacfb27990d4384488992c203f6bbc677a3429676fea6b
SSDEEP

3072:6ho1jshIqjLdyQb1HIRe39gmpB0JI43GrforUZ9HtSAVX8iqOTwLWe:6ho1fQpB3rpBOhW8rUZ9NhXAO2n

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	fGIQkEAk.exe

Executes dropped EXE 2 IoCs

pid	Process
3392	WQcIgUIM.exe
700	fGIQkEAk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WQcIgUIM.exe = "C:\\Users\\Admin\\tsgkcgkw\\WQcIgUIM.exe"	25c0a17378ed06exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fGIQkEAk.exe = "C:\\ProgramData\\jecYAgUs\\fGIQkEAk.exe"	25c0a17378ed06exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WQcIgUIM.exe = "C:\\Users\\Admin\\tsgkcgkw\\WQcIgUIM.exe"	WQcIgUIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fGIQkEAk.exe = "C:\\ProgramData\\jecYAgUs\\fGIQkEAk.exe"	fGIQkEAk.exe

Checks whether UAC is enabled 1 TTPs 50 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25c0a17378ed06exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	fGIQkEAk.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	fGIQkEAk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4968	reg.exe
3720	reg.exe
4008	reg.exe
3760	reg.exe
392	reg.exe
876	reg.exe
1992	reg.exe
3892	reg.exe
4276	Process not Found
3732	reg.exe
3916	reg.exe
3800	reg.exe
4244	reg.exe
3700	reg.exe
4728	reg.exe
4256	reg.exe
4824	Process not Found
4332	reg.exe
556	reg.exe
4500	reg.exe
812	reg.exe
2280	reg.exe
968	reg.exe
2856	reg.exe
4376	reg.exe
3624	reg.exe
2248	reg.exe
4464	reg.exe
3040	reg.exe
2448	reg.exe
1560	reg.exe
4060	reg.exe
4908	reg.exe
1060	reg.exe
944	reg.exe
1540	reg.exe
2220	reg.exe
4496	reg.exe
4028	reg.exe
4356	reg.exe
3236	reg.exe
3524	reg.exe
2988	Process not Found
3676	reg.exe
1640	reg.exe
712	reg.exe
4464	reg.exe
3124	reg.exe
1248	reg.exe
1428	reg.exe
2988	reg.exe
5076	reg.exe
4264	reg.exe
944	reg.exe
2164	reg.exe
1692	reg.exe
2732	reg.exe
2836	reg.exe
4460	reg.exe
4644	reg.exe
1548	reg.exe
2204	reg.exe
968	reg.exe
4544	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3136	25c0a17378ed06exeexeexeex.exe
3136	25c0a17378ed06exeexeexeex.exe
3136	25c0a17378ed06exeexeexeex.exe
3136	25c0a17378ed06exeexeexeex.exe
4108	25c0a17378ed06exeexeexeex.exe
4108	25c0a17378ed06exeexeexeex.exe
4108	25c0a17378ed06exeexeexeex.exe
4108	25c0a17378ed06exeexeexeex.exe
5020	25c0a17378ed06exeexeexeex.exe
5020	25c0a17378ed06exeexeexeex.exe
5020	25c0a17378ed06exeexeexeex.exe
5020	25c0a17378ed06exeexeexeex.exe
4992	25c0a17378ed06exeexeexeex.exe
4992	25c0a17378ed06exeexeexeex.exe
4992	25c0a17378ed06exeexeexeex.exe
4992	25c0a17378ed06exeexeexeex.exe
4584	25c0a17378ed06exeexeexeex.exe
4584	25c0a17378ed06exeexeexeex.exe
4584	25c0a17378ed06exeexeexeex.exe
4584	25c0a17378ed06exeexeexeex.exe
3760	reg.exe
3760	reg.exe
3760	reg.exe
3760	reg.exe
3992	25c0a17378ed06exeexeexeex.exe
3992	25c0a17378ed06exeexeexeex.exe
3992	25c0a17378ed06exeexeexeex.exe
3992	25c0a17378ed06exeexeexeex.exe
3624	25c0a17378ed06exeexeexeex.exe
3624	25c0a17378ed06exeexeexeex.exe
3624	25c0a17378ed06exeexeexeex.exe
3624	25c0a17378ed06exeexeexeex.exe
3308	Conhost.exe
3308	Conhost.exe
3308	Conhost.exe
3308	Conhost.exe
3880	25c0a17378ed06exeexeexeex.exe
3880	25c0a17378ed06exeexeexeex.exe
3880	25c0a17378ed06exeexeexeex.exe
3880	25c0a17378ed06exeexeexeex.exe
3524	Conhost.exe
3524	Conhost.exe
3524	Conhost.exe
3524	Conhost.exe
4676	reg.exe
4676	reg.exe
4676	reg.exe
4676	reg.exe
1100	25c0a17378ed06exeexeexeex.exe
1100	25c0a17378ed06exeexeexeex.exe
1100	25c0a17378ed06exeexeexeex.exe
1100	25c0a17378ed06exeexeexeex.exe
824	25c0a17378ed06exeexeexeex.exe
824	25c0a17378ed06exeexeexeex.exe
824	25c0a17378ed06exeexeexeex.exe
824	25c0a17378ed06exeexeexeex.exe
1712	cmd.exe
1712	cmd.exe
1712	cmd.exe
1712	cmd.exe
4428	25c0a17378ed06exeexeexeex.exe
4428	25c0a17378ed06exeexeexeex.exe
4428	25c0a17378ed06exeexeexeex.exe
4428	25c0a17378ed06exeexeexeex.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
700	fGIQkEAk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe
700	fGIQkEAk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3392	3136	25c0a17378ed06exeexeexeex.exe	83
PID 3136 wrote to memory of 3392	3136	25c0a17378ed06exeexeexeex.exe	83
PID 3136 wrote to memory of 3392	3136	25c0a17378ed06exeexeexeex.exe	83
PID 3136 wrote to memory of 700	3136	25c0a17378ed06exeexeexeex.exe	84
PID 3136 wrote to memory of 700	3136	25c0a17378ed06exeexeexeex.exe	84
PID 3136 wrote to memory of 700	3136	25c0a17378ed06exeexeexeex.exe	84
PID 3136 wrote to memory of 3356	3136	25c0a17378ed06exeexeexeex.exe	85
PID 3136 wrote to memory of 3356	3136	25c0a17378ed06exeexeexeex.exe	85
PID 3136 wrote to memory of 3356	3136	25c0a17378ed06exeexeexeex.exe	85
PID 3136 wrote to memory of 1796	3136	25c0a17378ed06exeexeexeex.exe	87
PID 3136 wrote to memory of 1796	3136	25c0a17378ed06exeexeexeex.exe	87
PID 3136 wrote to memory of 1796	3136	25c0a17378ed06exeexeexeex.exe	87
PID 3136 wrote to memory of 556	3136	25c0a17378ed06exeexeexeex.exe	91
PID 3136 wrote to memory of 556	3136	25c0a17378ed06exeexeexeex.exe	91
PID 3136 wrote to memory of 556	3136	25c0a17378ed06exeexeexeex.exe	91
PID 3136 wrote to memory of 3648	3136	25c0a17378ed06exeexeexeex.exe	89
PID 3136 wrote to memory of 3648	3136	25c0a17378ed06exeexeexeex.exe	89
PID 3136 wrote to memory of 3648	3136	25c0a17378ed06exeexeexeex.exe	89
PID 3136 wrote to memory of 3408	3136	25c0a17378ed06exeexeexeex.exe	88
PID 3136 wrote to memory of 3408	3136	25c0a17378ed06exeexeexeex.exe	88
PID 3136 wrote to memory of 3408	3136	25c0a17378ed06exeexeexeex.exe	88
PID 3356 wrote to memory of 4108	3356	cmd.exe	95
PID 3356 wrote to memory of 4108	3356	cmd.exe	95
PID 3356 wrote to memory of 4108	3356	cmd.exe	95
PID 3408 wrote to memory of 2988	3408	cmd.exe	96
PID 3408 wrote to memory of 2988	3408	cmd.exe	96
PID 3408 wrote to memory of 2988	3408	cmd.exe	96
PID 4108 wrote to memory of 1408	4108	25c0a17378ed06exeexeexeex.exe	97
PID 4108 wrote to memory of 1408	4108	25c0a17378ed06exeexeexeex.exe	97
PID 4108 wrote to memory of 1408	4108	25c0a17378ed06exeexeexeex.exe	97
PID 1408 wrote to memory of 5020	1408	cmd.exe	99
PID 1408 wrote to memory of 5020	1408	cmd.exe	99
PID 1408 wrote to memory of 5020	1408	cmd.exe	99
PID 4108 wrote to memory of 2384	4108	25c0a17378ed06exeexeexeex.exe	100
PID 4108 wrote to memory of 2384	4108	25c0a17378ed06exeexeexeex.exe	100
PID 4108 wrote to memory of 2384	4108	25c0a17378ed06exeexeexeex.exe	100
PID 4108 wrote to memory of 2264	4108	25c0a17378ed06exeexeexeex.exe	102
PID 4108 wrote to memory of 2264	4108	25c0a17378ed06exeexeexeex.exe	102
PID 4108 wrote to memory of 2264	4108	25c0a17378ed06exeexeexeex.exe	102
PID 4108 wrote to memory of 1548	4108	25c0a17378ed06exeexeexeex.exe	101
PID 4108 wrote to memory of 1548	4108	25c0a17378ed06exeexeexeex.exe	101
PID 4108 wrote to memory of 1548	4108	25c0a17378ed06exeexeexeex.exe	101
PID 4108 wrote to memory of 3720	4108	25c0a17378ed06exeexeexeex.exe	107
PID 4108 wrote to memory of 3720	4108	25c0a17378ed06exeexeexeex.exe	107
PID 4108 wrote to memory of 3720	4108	25c0a17378ed06exeexeexeex.exe	107
PID 3720 wrote to memory of 1696	3720	cmd.exe	108
PID 3720 wrote to memory of 1696	3720	cmd.exe	108
PID 3720 wrote to memory of 1696	3720	cmd.exe	108
PID 5020 wrote to memory of 4648	5020	25c0a17378ed06exeexeexeex.exe	109
PID 5020 wrote to memory of 4648	5020	25c0a17378ed06exeexeexeex.exe	109
PID 5020 wrote to memory of 4648	5020	25c0a17378ed06exeexeexeex.exe	109
PID 4648 wrote to memory of 4992	4648	cmd.exe	111
PID 4648 wrote to memory of 4992	4648	cmd.exe	111
PID 4648 wrote to memory of 4992	4648	cmd.exe	111
PID 5020 wrote to memory of 4016	5020	25c0a17378ed06exeexeexeex.exe	119
PID 5020 wrote to memory of 4016	5020	25c0a17378ed06exeexeexeex.exe	119
PID 5020 wrote to memory of 4016	5020	25c0a17378ed06exeexeexeex.exe	119
PID 5020 wrote to memory of 4280	5020	25c0a17378ed06exeexeexeex.exe	118
PID 5020 wrote to memory of 4280	5020	25c0a17378ed06exeexeexeex.exe	118
PID 5020 wrote to memory of 4280	5020	25c0a17378ed06exeexeexeex.exe	118
PID 5020 wrote to memory of 1704	5020	25c0a17378ed06exeexeexeex.exe	117
PID 5020 wrote to memory of 1704	5020	25c0a17378ed06exeexeexeex.exe	117
PID 5020 wrote to memory of 1704	5020	25c0a17378ed06exeexeexeex.exe	117
PID 5020 wrote to memory of 2952	5020	25c0a17378ed06exeexeexeex.exe	182

System policy modification 1 TTPs 50 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	25c0a17378ed06exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	25c0a17378ed06exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	25c0a17378ed06exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c0a17378ed06exeexeexeex.exe

C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\tsgkcgkw\WQcIgUIM.exe
  "C:\Users\Admin\tsgkcgkw\WQcIgUIM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3392
- C:\ProgramData\jecYAgUs\fGIQkEAk.exe
  "C:\ProgramData\jecYAgUs\fGIQkEAk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        8⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        10⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        11⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        12⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        14⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        16⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        17⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        18⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        20⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        22⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        23⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        24⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        26⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        28⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        29⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        30⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        32⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        33⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        34⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        35⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        36⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        37⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        38⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        39⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        40⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        41⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        42⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        43⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        44⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        45⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        46⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        47⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        48⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        49⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        50⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        51⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        52⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        53⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        54⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        55⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        56⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        57⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        58⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        59⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        60⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        61⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        62⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        63⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        64⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        65⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        66⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        67⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        68⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        69⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        70⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        71⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        72⤵
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        73⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        74⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        75⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        76⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        77⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        78⤵
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        79⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        80⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        81⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        82⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        83⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        84⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        85⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        86⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        87⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        88⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        89⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        90⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        91⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        92⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        93⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        94⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        95⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        96⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        97⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        98⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        99⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        100⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        101⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        102⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        103⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        104⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        105⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        106⤵
        
        PID:3916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        107⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        108⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        109⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        110⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        111⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        112⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        113⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        114⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        115⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        116⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        117⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        118⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        119⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        120⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        121⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        122⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        123⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        124⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        125⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        126⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        127⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        128⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        129⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        130⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        131⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        132⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        133⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        134⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        135⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        136⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        137⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        138⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        139⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        140⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        141⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        142⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        143⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        144⤵
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        145⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        146⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        147⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        148⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        149⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        150⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        151⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        152⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        153⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        154⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        155⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        156⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        157⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        158⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        159⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        160⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        161⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        162⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        163⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        164⤵
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        165⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        166⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        167⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        168⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        169⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        170⤵
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        171⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        172⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        173⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        174⤵
        
        PID:180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        UAC bypass
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        175⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        176⤵
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        177⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        178⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        179⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        180⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        181⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        182⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        183⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        184⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        185⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        186⤵
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        187⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        188⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        189⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        190⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        191⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        192⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        193⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        194⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        195⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        196⤵
        
        PID:1252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        197⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        198⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        199⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        200⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        201⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        202⤵
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        203⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        204⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        205⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        206⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        207⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        208⤵
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        209⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        210⤵
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        211⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        212⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        213⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        214⤵
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        215⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        216⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        217⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        218⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        219⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        220⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        UAC bypass
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        221⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        222⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        223⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        224⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        225⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        226⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        227⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        228⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        229⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        230⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        231⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        232⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        233⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        234⤵
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        235⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        236⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        237⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        238⤵
        
        PID:1040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        239⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        240⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        UAC bypass
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        242⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        243⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        244⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        245⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        246⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        247⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        248⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        UAC bypass
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        249⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        250⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        251⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        252⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex
        253⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex"
        254⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        Modifies registry key
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psIkYowc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        252⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies registry key
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NewgAoMo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        250⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIcIcgg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        248⤵
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usEwQscQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        246⤵
        
        PID:2028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        UAC bypass
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        UAC bypass
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqcIIoUE.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        244⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGIIoYMY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        242⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQEkYMgI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        240⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQgwUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        238⤵
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEoIUokE.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        236⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgswwkkI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        234⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqsEoQYE.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        232⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMowIEUU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWQAwAco.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        228⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkYwAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        226⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSAMMUcs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYcwwMcI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        222⤵
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeIwUwoc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        220⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaggYkEc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        218⤵
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        218⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmIQwUgI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        216⤵
        
        PID:444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuooIUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        214⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeUEIkgU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        212⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQwoIsEg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        210⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOQQckME.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        208⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKEgcoIs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        206⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKgcQwMc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        204⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqsIgYgs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        202⤵
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwUgQwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        200⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWEgcMEs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        198⤵
        
        PID:4108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCIwAoEo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        196⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiAgEYQc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        194⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgcsYIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        192⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        UAC bypass
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoIoMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        190⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkksIIQw.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        188⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcggsUEs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        186⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMUEQUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        184⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eycAIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        182⤵
        
        PID:824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEMEEMkg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        180⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        Modifies visibility of file extensions in Explorer
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwMUgEAI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcocsYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        176⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcAEQIUA.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        174⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIAUIggA.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        172⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POcokUsg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        170⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeUMAQok.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        168⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysgcIoEs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        166⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSooQUkU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        164⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYooUUcg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        162⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywAUYYos.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        160⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQsUIksY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        158⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        UAC bypass
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKIgYMAM.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        156⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAccAoUU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        154⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGYwAwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        152⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        UAC bypass
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyEUgIok.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        150⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCUcQUAY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        148⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSgYwsUo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        146⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWcksswY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        144⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCggMoQM.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        142⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEwMQUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        140⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmgwcQEU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        138⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euswgwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        136⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkAgMkkw.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        134⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmQQYMoU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        132⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaAkscwQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        130⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEAQcAAU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        128⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qygwAgcE.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        126⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoYoYMA.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        124⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMAAocIo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        122⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asgcwEMs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        120⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQAUogIQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        118⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGQcMggo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        116⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgwAcscY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        114⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUAgsIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        112⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMkwYUoI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        110⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        UAC bypass
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAYsUgEI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        108⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCEIUAos.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        106⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCwwYMgs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        104⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqYYQcws.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        102⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAEkMAoU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        100⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssQYEUQA.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        98⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McoEUcgY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        96⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGYEcocs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        94⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUQYwEQw.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        92⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEAUsgcs.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        90⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaEIUcsk.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        88⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEkIUosM.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        86⤵
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykcoYoUE.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        84⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaYAUskw.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        82⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:3916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOIoUooE.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        80⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEcwQcMU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        78⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQEoEMIY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        76⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeMooAgI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwgsYQsg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        72⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmsksgAg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        70⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        UAC bypass
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imUcgggI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        68⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToEEoIEo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        66⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOEYYYkc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        64⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmcAYIos.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        62⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQsIccoU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        60⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScMgMAkc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        58⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XikMoMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        56⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuIoYAgk.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        54⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQEYcQwo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        52⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoQwcAE.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        50⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSYgowYM.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        48⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQkMMcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        46⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqkEcoYc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        44⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwEEwskI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        42⤵
        
        PID:4308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sccQcIQA.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        40⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IekoYUEo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        38⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lecAQoYc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        36⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qggQkIQc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        34⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqkAYsMk.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        32⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsMcgYcU.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        30⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSIgMQYo.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        28⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWAYcgkc.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        26⤵
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWEUIMEM.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        24⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYMkMIAY.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCwoswYQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        20⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMYIUEko.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        18⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWAkAYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        16⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEwEIEUI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        14⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYkYEkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        12⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssIoAMoM.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMocsEAA.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        8⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIsMoIUM.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
        6⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4612
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1704
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4280
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGMEUQQg.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4376
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pegUkMEI.bat" "C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2988
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe

Filesize
516KB

MD5
72fdc27f52e816734cbb210bb3892ac3

SHA1
c4bcd4c2fb45fe98003681a77c76f7920396fe06

SHA256
e226e7f1fd8640b932f9c54a76efe234e90d9599d16b367441c75a9ce214d0b7

SHA512
5268691076b33469e5dc82b12e1764f26e885022cca66fdd303dd66bfa4ff7c84a9528237c451e48fa93f9ea8b1c19772885a04f5cf4d14c028b85fa5c6e05a6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
324KB

MD5
5d8db55c00c66f800cfe8f850ed12d90

SHA1
59e0b89cd0d08c452674387f56b2fc698bcba06a

SHA256
243a0fac9d52134a57617c82ce894e2dc18387b9c4dca501130b74e6828f8476

SHA512
8b38a707701a97e455250b919b02b1dd7b844d0dbed7ae2e4dd8e1b9485b3ad7d388e6426080825c44ad309525ed6cc53afdc6c51e74fef284aa1b6e01963a6e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
228KB

MD5
55e8d5235a699938751939c263375298

SHA1
761ade40816e6c8201fd2d2c6c9b37db15d05b1e

SHA256
bb0ff431ddffb7ee4554e49eb83599ee667415c0420ece49ed8024db95b9123d

SHA512
c4774bb6290e685f95d7c2109a04d815285ab48ec0b19725e50d4db6760c57d1add0c2a1241b7dc1e8793d8d51291743a1daefbdff2f5567105cc29cb803109a

Download Submit
C:\ProgramData\jecYAgUs\fGIQkEAk.exe

Filesize
177KB

MD5
cb2acd886c46928b0a2c2e195fe0c848

SHA1
ac2aa1686c0f8b3a8e909b0884aa40e42041eca9

SHA256
e4d6c4b944518083f09d0440731720a1c2cace1e8a2054b14f9a75c181ae5f03

SHA512
79811d101461133052c83f77b1d13aecb3ddedcd9009394eea34f9159d63ab30e296b4ed9c5a7f32b942ca53ac224e2edff29bdb15cf1c7c122af9fdf6299bb8

Download Submit
C:\ProgramData\jecYAgUs\fGIQkEAk.exe

Filesize
177KB

MD5
cb2acd886c46928b0a2c2e195fe0c848

SHA1
ac2aa1686c0f8b3a8e909b0884aa40e42041eca9

SHA256
e4d6c4b944518083f09d0440731720a1c2cace1e8a2054b14f9a75c181ae5f03

SHA512
79811d101461133052c83f77b1d13aecb3ddedcd9009394eea34f9159d63ab30e296b4ed9c5a7f32b942ca53ac224e2edff29bdb15cf1c7c122af9fdf6299bb8

Download Submit
C:\ProgramData\jecYAgUs\fGIQkEAk.inf

Filesize
4B

MD5
41aca6abf3b850bd8113ca059064750d

SHA1
556483ff8be4e74ae61b96a3cb2293e5b2d33b3a

SHA256
a91b50d46777c73cbee94265688dec910ed109c76551849234f721c97666c101

SHA512
3e78f1f09cfd386366e70a8162f6250304a098cd5d835a39dd66d815084acf0e358828aedce68dee73f3d566e23b1a91da6790a5bdb0e673c8f44bf5c7cfd05d

Download Submit
C:\ProgramData\jecYAgUs\fGIQkEAk.inf

Filesize
4B

MD5
e954bfe75c6274fd6506f11fa3727072

SHA1
f0c162ddcf09fe0789c1cec20cf0dd8e2bfb7301

SHA256
01d24ae56331dae2e5b24c2730a8932fc41eb22e8a6b31d437740920600daf73

SHA512
d6d72cf5a14894078bae01d29d55900d72a3ad771243c253b672cecf347e0706e3bc514cd9871b12be399af8418fd9c32d4ceb752c84dea0d6ecb1947aa631ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
204KB

MD5
5e386541e67d02f49cd24ee2cfd7dfad

SHA1
0f97536f62b70a56b0d026e8da3faf37eb70d87f

SHA256
582876534894f818110f42d4162dea4daa713559daf980c6d330b992804ef1dd

SHA512
a70cd88b4290db0e10056dd647cab655ca566c3a6b5acd19c6251baffd89c37d41376332483439b04db7588972e3b048ec647e4b2889257fd7505e77078cc992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
188KB

MD5
dd3b359c06acc70dab04047c7da36ef6

SHA1
b3802af81e8087c4fffe302070d55bae9789e4cc

SHA256
2fc38db96419afe9e430cb202222312a78a1b109704687b96d7eb5b29e43baaf

SHA512
04f70127966612e73677fdf69f76c4fe879b0a413639164fc75c55e2314d8c8c76e204474a58dbb7acd0ee93e35786b0059526e8ede9b630599a7ea1efb4c8df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
201KB

MD5
35403b89a0fc081b9b57f628e340d227

SHA1
3e73e11857a3e96cf591e528f6d718aef6fed3fb

SHA256
f0555a6ae2fe1ac67abb728b13f7ee296bba2cced7c6f926b31654c0eb386d1a

SHA512
c9b9530a47a49173d2c1b8b9436c9d9ab8424969f8bd779a1a5506fbedf83e2f4dfa066f1c5a401e7716b98f0a941762a5a987de70b3de0fe746645f42266181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
190KB

MD5
d6a270bf1d54e85ee19212c0a81e9b76

SHA1
e54a35501fc43dda3e552fc965b578802f2421a8

SHA256
c184af77c06973c528a243567fa2f987fdac4fd370ee8e0452d6779f55a8b270

SHA512
5f5779bce169a9d01478d0fa5cca34716ba967ac5c2b0c1e2444f58db188aca7810b256104730ca7da7b1c9d13288c964b21a515453d3b7008e3b2a72d12194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c0a17378ed06exeexeexeex

Filesize
2KB

MD5
3fe5f823824bedd9fe3176e58db69fa4

SHA1
807cc9ffa5fe60115bf9df8a086f5cb1199b0a19

SHA256
9c6a82a2d3c4c374fcc2e78d3eda445ebce74d3a7a4d84fc447739df91cb1f0c

SHA512
03f0684a8ad2545add75637562655dfa3c89d06159d607df6e2efac2c446a95bd9cb0437f1c195a75b2e438d7e7812f4f85fbf136e45402947298a1e3fb3506a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMocsEAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMsu.exe

Filesize
190KB

MD5
2d1edf371c0f5da1c45c21205581f69d

SHA1
f60c0e8daff57199aff57abd9304218502c40697

SHA256
1b4f6ba09c07206bbea8e13069001b23ffba224bc70ed761d125fb96b6735d9a

SHA512
c348b2099053f81a92144c8e63d95715569024fe0ec3d5281943ee059b51e7f3fb05c6b0c4141df1b36c66eb0b955be2b01a756a05c13dbcf84e24a9e0f86ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUwG.exe

Filesize
788KB

MD5
09f609333fbfebd9fce4b3f7311aaf12

SHA1
91a9f1da85692906b1cf0c3206bc70492b51ff52

SHA256
ff82a6461521bdd70f9a6cdeb4c4ba863b861cf0cdc7ab9bf960f231e433c9d4

SHA512
e4d20fb801e533566b2f958b33a017e0a1f2e9a082ef4547a0699025308baa3b54387f878a36ddf8039d7f400e3511da037dfc505e1425a6e4d9d68c72d08d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cswu.exe

Filesize
399KB

MD5
f3c90b6d9af83b773cd90e58df56a32d

SHA1
0b59c4c927008bf8dc202ecdbece7da13ec842c3

SHA256
6eb2d523dde2ecf6e21d4dde07e79da433b19740820f28badb86c07ea7148312

SHA512
cb5e51959eec536e73c8fa48746b70e4986f29fa00efceb362101e9bc51c678df1e12f749b77dd76bd4ccb2c7088e2ab91358d771cdcaed1bca147662dd0a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQgc.exe

Filesize
183KB

MD5
1d916b4a1cff74e6a3d3bdaaa6de5227

SHA1
1a5335d88531ea9cf8bce97579ef060658be6d2e

SHA256
303baa810a87312e3a195868c18161c28cf03a59caa1b94154c305c6d08e0098

SHA512
6d6606f68f9b14738adbfc6ec4f6afdd3c9104c2d5f10df3d15dafa819bcd66c199802297139ac12dac58ab20d21e024699307baac0da423e8c45e1396b885e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkI.exe

Filesize
478KB

MD5
06eeab38260c58bbe6c0e1cd706bdaef

SHA1
300f8a9b2419b8681e24ee35b0ea3bfb2e07174c

SHA256
5b9ebfda0cf83b2e326d8ea56634a9e29dced53d094f31db6887191935ec5fe6

SHA512
41da3b2be71ffc5772920bbdd5313ee438a76553aabb1acfc6fbf39cd390d94c37647070d876be5082262db9e5f04945209b5a37b84ee00bf9595e8bb478b8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUIc.exe

Filesize
189KB

MD5
142ead38f8d89aaf3141f07e076fb528

SHA1
a2e94adb104d763488777d4a309c1668c0ca1d17

SHA256
ff89f8f1d7e01ae2c0319cc80c9ea1ec179e6e3eb3811a8d937ead5da68ec5d9

SHA512
4cccf4e598e3de084d6273364b79c961b7a482d6b80ac1b37dac9485ad9272971b5e5a4365ebe5bd95c12476ea3645f5ae56ed39c4908199f0c7d0bdffbfb650

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUy.exe

Filesize
212KB

MD5
b221e42a5901a4f2ae0bf2762331f297

SHA1
c2677b43013449419320ed37a19e7512d991b641

SHA256
5cccb7343f96857486e1feced9609f541f51332972dccac5038cf87cfab4060f

SHA512
b8fcd841122b7e290a0127278aa90fe7dc2f514fb25ba88ae30acda1e4262d4a56ce803677cc60f723a8f380ca35e530c439072c7f4af5b79a3bef10df44a504

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIkW.exe

Filesize
420KB

MD5
61b37f5c92aef2340b8392e2b1cdbabc

SHA1
a2a3e263b5d3d07f798e7644367565b6231abe02

SHA256
3295895065b46de5685a62679dbd98d695bde1ab75976360f1d252f8b94df913

SHA512
08023260e8b2be33c4138e775a13ed61fdce326d28e6b2e7c19ad7a0ec7f4ec11cef146ef10cb88f43e2d017f56a32adbcd2dc1237e8ab38362083cbcddd3ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYEE.exe

Filesize
5.9MB

MD5
39534794e9d378c793e61dd9d62fdd0f

SHA1
40f3a92fc9dfc68d3b2e5e55fd83de61f963b6c2

SHA256
08a20e6d3d09e8fbf133bd4cc0bbbfd489dd4be8ae63e60b2ef23acd805ae53f

SHA512
9db3e941bead14e71986d527f2fa0d22ac37757726b6bc447975069f4534a10f0cb0725955bf9c3ce59def22dd17810335db663325530d4144e6c5d8fb598ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGMEUQQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIMS.exe

Filesize
652KB

MD5
6e4d663d25806adedce1418b51913e42

SHA1
eeccd1527c92ca1e6439c6f5a54eeaebfee00002

SHA256
c035970c9d1cc915275123508bdc34e3730012a01a6af99d2fbd0b23af408e3d

SHA512
6842fe7a5135903c1e03d9c880370fefd6d40c63543c85e5799e64dbd9ee62f696347204f185c8d1582c57f8974a612ff489ad2bec6ae9b23d33adcdaf26fa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IekoYUEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUgU.exe

Filesize
756KB

MD5
6a07bf0c37650e784b4c458ca45e84af

SHA1
4c8931039fc960090c564d3640648ee48b8d4360

SHA256
0900ed16b7f61d74bcd7e5f73cee31146a6d2fb0f790a293236893f253ce678b

SHA512
b7aefd1f145f76947756929f487cae4058653ac4cbbd1d72e520f79d97c7030e6b526eebd20f12f032c9c422482bf664e45cfb2666dfb8702d7dc3affcd745ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\JscA.exe

Filesize
203KB

MD5
dbf459ccbe97537290e057e07c25a69f

SHA1
6968ad74fc90597f636ebbde8f14fcccf1b19dd6

SHA256
d17506d099adbad6278ff9cfaa86749e533fde21638c640b8e52a721956224d9

SHA512
72eaf6b10f07dd6dc8f20fe7b58b67ba69353de5e8a44548b9c02d1f2e7baf90f081acaba5094e3b2a68a26f60be5ac0deffe9dc8d44376532dd2a424b39f575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jsks.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgC.exe

Filesize
783KB

MD5
b29c29d7e7c27ab80d3eb9b3c079c670

SHA1
79a46c1b3f5f88c33a3823cdc61debbb37c9f95b

SHA256
4f1154af456f36ae5b06edb0216e79981df56b5167d785d0c476afc36dd28657

SHA512
31a4c4da2b6581159fd05dce16c85d7c339c719c9146ff42d7492d1893e5069a769822e65153c5e303033419eb256bf4728cb3481f07a7892ff31118c34a2cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEwo.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUA.exe

Filesize
211KB

MD5
70507e04f69cf3f8484372944e535bc7

SHA1
f8469b7619043b4a9af269f98a003dd26de3c0ba

SHA256
77b00e07b3394e33856009503187dae304119aac5bfe516e654ced2d2aa9f635

SHA512
b2296e8c60127a3635d24d0711aaf9080146b069ab14a8cf21761377087c09ef43f8a41c48369bda6f90550f61caf5539371e8ad95a3b854a5c280c6bb393a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcce.exe

Filesize
822KB

MD5
68f40b9a90faaec18a1815b688961ce5

SHA1
0739795b0a048adb931f8c2ef8e13ea66abfff57

SHA256
89ae97750c8998789d12699fbbf5bac291d262dc34389564aca79b306113cc7b

SHA512
a1bb2426525828144747e23dbc32fa27f18b85ed6444ffd4c92531af036aa5564569b372c9b1eb1f0dd7581acfcc709d4d77fb1f673c8946eca7e3ddbdfa2647

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgEQ.exe

Filesize
237KB

MD5
e95090177c939607626b858e40186af1

SHA1
952bafe3821528470229e508c654d081d67cb1a2

SHA256
d2d75fb96121cc58422b1bb126909e2f5482ecc288bcea1e1d1a98a446d3241c

SHA512
0d15440a8a87d3cf771b32f2dbb8cc60915956c38aab1577a14e610100223b67e91a45de0b4a2131e5c8019560c799fc10d09290ec78f9eb6a6dcced9a1c7f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMIS.exe

Filesize
324KB

MD5
5237e7d6b959e3d64799348319e6fa78

SHA1
02b978b3490d848d9dbaf7c039cf63ee720e7218

SHA256
bde933b40d4bd4ff62569f06f705f2d08387499aec4c7152de302ff56c073fec

SHA512
445170d9bce7b998b16d42a7dfde1084c9b199ee2879413c15ccc4d73892bd8ccc621efd79546a5de54740284f394446282e06e345f2a116eb310de810a19be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQa.exe

Filesize
226KB

MD5
526a5faf945feef40f58d4f5eb48497b

SHA1
b9d4fdc17276e55f557778579ea482fa7b3caa0a

SHA256
e1d8e69891842fc9d59777e3a3faf2da5d1deecbd40af16cd8ff498c72778dba

SHA512
798274ebe41126ee7b5334900e2dd0fda1ff3339db35a7bd04592f9185aa078282ce828babe249b9e718f7effc0c04ef386f554f191ed0c09367308c00c39c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQMa.exe

Filesize
985KB

MD5
a15bc10588558bec0196198b6786b0c6

SHA1
f84cc632f2b9459a260740b300d59a161ecf170f

SHA256
0001e518447a52afe08c1f0fc06937bf9f34265efc45fdfefa7c14ee272c968c

SHA512
45afe2d5e5134aa2f63a389e500f56c3868caaec816da32e8b85a638dbd3202aa8298c17ffb92a426cbce5122ff8a9bf457dfe39318103760883999cf28ae0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUkO.exe

Filesize
191KB

MD5
1fa49c18c01a24fa188713604ab6c662

SHA1
1de412d0fa01538d9df1557180d334a6b06eb3ff

SHA256
6590ecdbc87f92703c9e6ed1cd798b5dce1c3b3d47e62a77c8a09e5647cd16d4

SHA512
e358d0fdc8805f4a6c170c510ac3b06345734e582e72f1c614a83dce271564bfc2cda88bd38c607044bb14b21e360f2f8928b04b773be23590d8285b97438808

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYou.exe

Filesize
198KB

MD5
608cce7228ad1add1cd01cb0c94c0a85

SHA1
fab42151698c75c45cc0acad7378faf2f90c386f

SHA256
f6c20a82a2feadb07f8b218b6e008b40d2fe0fb5acd9547a1852ea74a60f1290

SHA512
4d9b938913192a1e7762c684c45ce01aa5e049eec7fe4b364da49dadba28b21c1d02a9c4afa39de8a4b11a8fad807f614c555db8df49b0d29049c046528d771b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwAW.exe

Filesize
209KB

MD5
c0c160e6fcdffd1bd6fd7f144b261422

SHA1
633bf5d84eb19cc1a4ee0431ca4e279d84e62939

SHA256
aa615fe954e6c087f3d9b6a67567682bdf6cb1f20fe3023f927211c1f21c87a0

SHA512
24d4dfb37ed029ca264dfc1229fe8f868233d54d1264f7a50390ecaaba7a4be3c20ea85c21fc00dedcaa8ac90a694a33d660457177eb73169ef85ac1d0831780

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIm.exe

Filesize
190KB

MD5
4bf76a9d777278b400bfe924679ba757

SHA1
fcf6ee5e70638258309b43d1201c22e26e606af2

SHA256
f5ea8deabc7a23d67f5176946ca4136c75d434ef94c1fcda8cba43c1fa53984b

SHA512
7df62231d48cd53f94610a2538c46b25eff518702394bdb2d1aa03ec590fda1edfb3ae1abfcba851df7092477bb0169022c9f1f585e586269f117c6fb9bbeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMYIUEko.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgsY.exe

Filesize
185KB

MD5
304777b604cb9b83b5bdd0a90a5776b5

SHA1
a6b02af9b7fd7d7180a8fcf0c690d9fb81c76b1c

SHA256
2944d537339d66de1987c81b8fdf5c7f3b29f9a55a69b2b92ffc9daf233aaf14

SHA512
f7d75f470b06b2dd221b67d1923aa20e1ff87ea13f909f528d11e04636c7c82fa221bf74526e3364bd913c3da0f769fa765fea6d3eb0c7ea9091ea27ce0a552d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoYc.exe

Filesize
195KB

MD5
ed84d1361a0ccb3380745cc56bd56237

SHA1
f24f743c10b4632076f5b6bb71e3c044beb5896c

SHA256
c2452ce50a0a11c4ea18e7767ff54f2b030f1a22b27b9bd4f5bef11d01e96b24

SHA512
f136f9a24f7bae302a5ef1412f3ebfb1bb0babaa0be67a085adf17b160090734a484ca947e37689f82f457f9ed4624254129cd6ecfd6d3559fa8825a82d34111

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsYk.exe

Filesize
190KB

MD5
3c4c1d77762fa40d35f566a651d7b42a

SHA1
93bb8a0592169025b41986c1b27d1d133903447f

SHA256
ca89ea7690f76df89fd5d1d7c97f1fd05065cd162f80e0db08dcd5e5ac8d3829

SHA512
85273a6b67b710f57c9a6e5ce7d948930dfe31efa1baefe6b2030ec39c24f102978a9ab72727c29dfed583733aa6c17e6cda013a622826212288cf862d253551

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYm.exe

Filesize
641KB

MD5
263d1350838d7b6cbd6ee529059263e1

SHA1
bb0ba6b8f12086f39294067a6832adc7b9aca73d

SHA256
c8e389d23f67278e1b1912968cb952393b902d8d8848aa4636a8b52777b6a930

SHA512
066ecf2d8e80f3042d96d2f344abb1ddf7adc80a605d47b374fe2d9b0727f6c48ea855a9ee28e7b0ad6f24295cfca34e54e6ae7f8a929c1dd272773cde529fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkEc.exe

Filesize
567KB

MD5
1e3122c8bf1492de02e17dbe3edf398e

SHA1
d8e8c08db567c4d0edeaf59d8ee8645382598e6a

SHA256
b8b68b1d16f879313e5b5d72b43af9daafff8550ee601fb4b61c94519116f13a

SHA512
90349180b7175a43b9c86e7118c0745f7b3919ac234c9b7f33ba5cba7a79d1459353da835102f421bae619ee5aeb7911184c3eafbb2bf708f3a2cb3664bd4acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMkG.exe

Filesize
183KB

MD5
3c367b45a234453d80a1a9d719ab01a9

SHA1
a24ca47443ebd43b9bb0c8db75d6f7af3ec69a6c

SHA256
961e2c11b7f5455942b78770702f5ef0652f72186676cf92b365a55c8e8f0d3b

SHA512
6ffb1d8267f15c54389c34b653692dfe36171895e68f6f6b94be5f77f3a84386c97a731260a0c48a5655cc302915bb1cdb168f14946dee501f4a936c6f70e512

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsMcgYcU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAYo.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUQI.exe

Filesize
200KB

MD5
7efcd340fbcce8543f32b3e2b001ef15

SHA1
3ce7fc00d58318aec902cb2d616efe2b6665b4c4

SHA256
ce737473c1c51e8575db211e8f02cd64f83b265e3580a3d95c6e3a18c9bc3237

SHA512
cce7b2ca92372c24c5bcd3b12d96ad28da2193955eb80d56c07b27790016e1f2573c549174d5636d1223b4bc48a90ca0e1f84478397d51f9d0ad5062e42fdb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWAYcgkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYgu.exe

Filesize
221KB

MD5
de6ef57b26246589fb20f37d9c487c5c

SHA1
a8d95b31ce0e0cd934843e71780561741d987925

SHA256
e9a2ef60206699ae6e6f29533e25566c46ae4069ef6b1245d48fdd898225b10c

SHA512
5bfb0a665ae43e2631fafc10365dc546b00173f014263f0b7eedd247e1c3591d9ed7e5042645f7972440ea347243fa96a2b56d266062fedd5eb9ce347cf22ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vcku.exe

Filesize
5.9MB

MD5
c0b7cfa01d43994c40867c3a9f4693b6

SHA1
ef62f58f0653bef36144bfa3d4f250928a1982f2

SHA256
20b8be881a9004d3aa29ec21b0f3e1df21cd0b16fd12b71f4c37ac877823b17d

SHA512
45fe264566e799d6eba3ddbcd4bda3e81b3b508afd79f8ef9353b9ad6f64998625de133c8928f671fd5ccdcadf65c2d063c88998f2784473e81ab341d734e43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwIY.exe

Filesize
201KB

MD5
021173e9e480dea9423499d1ac366aca

SHA1
4013b6ee227e29a8d558e7749799bcc9bee73a7a

SHA256
4db81e414363d078cba0ac70ce9dfefb2ad01d9e039556c201c8adb0d2d3d327

SHA512
58a68d306f7692a5a051b3a83e9307c43a5bd38db351939e3e78d139798d6420215c8c05d509b92159be5fcdfe3b836f57e92d79c538f733e24016bd34e83ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwcK.exe

Filesize
194KB

MD5
ea4d55f2c0e6bffa37c4761fe0e90f74

SHA1
cf349a8732b65dc889b69bcc5047462f95f3ec70

SHA256
ac3bcfc5ce6456760305c0b1a8816bfc880e4aed5c22c41d6c9324dd6b198b20

SHA512
89d6aaf55ad11f8d3b0a8bf974ecc0e0ecae29fb07dd27138ed8ced09ffdbcb738e96af581ddb1b6c7ec1c59e6861553fe1a378cad61f742323acfc4f3889939

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgA.exe

Filesize
204KB

MD5
0b916415c33251fcb00b78bbc1e62787

SHA1
9dfdc4f4eab1cb6ea13512755bd76603cce74ffe

SHA256
bec49db02caee8668ed1eef3f6da601a8a88775f39b9543d96d832b4f33a41f2

SHA512
b679a910a85927ca7a2bf50318dc0473571a8b12748c81de5fe1cb982531c4fab82fb149cf21efa3e491c7fa8bdc11ffc64ad9757b3ff19b0590d8b78f0d480d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIoG.exe

Filesize
445KB

MD5
501a138dcef635c47546802358e3b0d9

SHA1
6b48118e38216cbc932e50771402d0684aaa8acb

SHA256
c0eb65e69dfac8b07755642d19279985ead08b0f8cf37edf246690515338ae74

SHA512
3dce91b1c9cbbf52f2875d6024894fc044455bacc25aa26e7d3f8371666edf43542c378f2b635c1bb9432e3aa077b8c46db6f87199fe3328ac375ee7a1f6a3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYW.exe

Filesize
195KB

MD5
5f653003fc5a177ede775dd0a6cb6af7

SHA1
739498e571251399d7121f1bdfef4643838799a4

SHA256
efd9e4ea312107f783a207207a654f515fedf9f6e012a3e6c493b745948769c0

SHA512
1f4e18898737e9114a5115de7c2d082fe6af8383003da9bf1310566b3f17d07828bb05f86d1ab1c6692a94d257973fec413436dfc062e985aa8f7771daf84584

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAcS.exe

Filesize
189KB

MD5
fb7e12cbcb842f86fb5582234b216244

SHA1
33102861b75472bec1056662a6f0c5394752eb0b

SHA256
a0b9538c712da7c83b23808bea30209d7ac8ca0084a724c2ad83571a2e9b713c

SHA512
099569a7be8569272b9dd3b104012a243b28b7dc4633b7807f6975abf5065923a02bfa1d5c41bffaa4c84c70806db1ce28da4967dedef058d585872429180c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMUG.exe

Filesize
312KB

MD5
4c93a5850daae3b453d25082d215fc72

SHA1
90fafbec414d82717fe8dee55c5fd603483442a1

SHA256
5d0010dcf55519c8641c98aa1025867b464ed8490c8d98d8eeff55906fe18f98

SHA512
3e25180918cbf709ee990268bceff4508514dcae7c8288383f43df561e724c8960842c880b4d8ab7882000f4a3bcc9c15daae382aa5b1dffa9ccb2dda3d654e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQki.exe

Filesize
184KB

MD5
ba7639993a98d0dfc9157790b84d620b

SHA1
4fd07ef9a4ec70a552cad8a056a23b3074437cd2

SHA256
66a87003737c797ab76c554fa66c1fcc2c9d624b983d80264a06b465b085a6fe

SHA512
096dc5c3fc5882c31d0f6f7f2943ca35cf035becc2d8974a9629dfb18e01f14cb75c2667eb188a165555d6ec0944f5c647bcdb3440481966565d697e49f2d15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcoU.exe

Filesize
186KB

MD5
14dec49432db030afb1b2b733b3e3e1d

SHA1
0647a26e819fc3df8f0634f62553a39cf73ede67

SHA256
aafce6f3c6a8aeedc7e5243024da4b8879ac2d3a65f2317621a2f716b01bc4b0

SHA512
0a32737bcbb8b24184582c1e2540caa5eaa0e43c860d2538e9ccaadb119eb72cf663b90889383b2ec3320c8ecde2d2fe89d82296a1aaedf1d9caf0658182e9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQEW.exe

Filesize
400KB

MD5
686ddb8189a4f4ae5339167cf330fdc8

SHA1
d15758592566a2566f7c8c238c668b0c43615b5f

SHA256
f35c82655571c3eeac546cc6e24eb154992818ea024c2432cffaca29204db238

SHA512
806bd1fae740aabb011d9cd139dddab30e1b111acb48bd234d28dddc7041fe63f21bf97a9a5fb033459599ed974399d1f5d437c7f0837b65099e25c2a3e9e887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zkgw.exe

Filesize
183KB

MD5
a40cacbe3ede5dfa7d8d07b022787ee7

SHA1
dcda86587b1bdce05034ca31cd8bc7b2644fd8e1

SHA256
9806d6e34ec1fb8d3037defa427fd9cdc6b490a34b4f4d583ea628625d52b6c0

SHA512
72ea71f789ed5b85ab6ec89562d102eeb13accd1596dbb0839e214135c83e07f7a2d2ddacb6a99c4d0b81852f43480ff24d20d137d7992b7fb5acf2dbd098f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMM.exe

Filesize
207KB

MD5
7a7294f85bc0a501939999ec7fb5da3d

SHA1
dbe4054da25ef3fa2114a5052c7739b4c11c355f

SHA256
07c3e55f216cc286fcef248cff480f6408d8fcf0fa5ab47a1dda86edfa4260b3

SHA512
a6c2b5a39837d8a56ebd8f568f5f569e74329db166a36edcf46b1310574ed1be98f0ce2c1615337a5fe5b6505fb1dd95320c8cec1237056c63445bbfe021e077

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIEc.exe

Filesize
190KB

MD5
bf94c9c0dd4b17bb75784ffc550d03e2

SHA1
561ad4f20a58f62294bbe0595c49b09d43543575

SHA256
7cc4630a0c430651af9017060c4f67d3ab7af0497212d778974f9479a226e1c4

SHA512
9d9f213a6babaa26889e38712c1da35695ff4f0e6e91555bfc5809bc73dfd96a19dbf42431e651876a0d2ceb7d09e4300bbf98c3cfeec2b72334115659a57175

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMoI.exe

Filesize
784KB

MD5
7f83e39fd144f016516d4d551bd77f85

SHA1
017af84d18e0e4917148b9da8c633a6e4cc751a3

SHA256
966d834c159b49ebf34bc1c8dde4b8a64b8d50ff7de5173cda7118567e6281ac

SHA512
0f9b5806893e9072ab30bf16a63ddd3592ac12786c5aed5b337ade2be80623902bfea201d0d00036476854a06dbb69a36ac789275d30cd39ec99c16c85bfedfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\akMM.exe

Filesize
199KB

MD5
fb01f02ef9361268a4086fc9da4fe638

SHA1
677774cf20b94f1d0cbc14f282148e4af298aee3

SHA256
0f3fea1183a82aac2d81faaadcf2f3c4e35175777ba66e1e34f7a65150ff9d3d

SHA512
07a24c6a8408cfab286d6ac435d745ec4d75621702ba864623a14adc7d8b15b2b9f174ba4cc7743a173f198dd79b7b881f2de48a3c8b44df1f0a31bdbbbfc245

Download Submit
C:\Users\Admin\AppData\Local\Temp\awgY.exe

Filesize
192KB

MD5
9b18bc3154aa02c677666efd2cb39fd7

SHA1
77bd68f42e67d94973dfb1a74cc9185c606975a6

SHA256
30d6a2091a6b6be7dd5721e0617db2b009f8d23c7039ec694c17261b14eb3560

SHA512
479323645555372686a9a4ddbe64b5f0b1bedcf5ddc546121b53f38814a765bba700b002543092d6eff5e17d14e101fa39d12eb5fd4ef59be8eaa58b4aef07e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAss.exe

Filesize
188KB

MD5
0ebbe1600a0b293738a158e877647e65

SHA1
636070cae92b39b0f8f8136292f4d278888b82f9

SHA256
de3d0e4da023322d9a58e6b892d0b8772eb6bf5f217be410bc109a49c09235a8

SHA512
0ae3cd97b979a44d984aa1ea9d0b7cf640e76ad436f28624f1a8595bcee13729213f611002c8f7a5b90028bf682e49960f02b2cd21e5d1cd9d60fdb8ea7d3187

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUYK.exe

Filesize
212KB

MD5
62d5d400890111a426aeedc26363ba84

SHA1
0f574f2be9d7e1011066422580868bcf8f64045f

SHA256
a85a884c8df27cbdcd7d18d4c654b15226620dd91d0a4d3e8f80c4cff8f8a2a9

SHA512
b602ee88ce720188f0aa9d0f9e2ed056de4455977d6bc39ff438628e12cc3424dfca85ba4abe72a3c3843416a6a422827c960a84d3d126fc86bfdf8e09cdb45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYMkMIAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcQG.exe

Filesize
195KB

MD5
966fd53a78cf88ab94a24c0d64f7f842

SHA1
40a343869851bf883bb5d975c31bcbf2352f5fd5

SHA256
c915ea27d7543f6be0acc61c0ca829770f67cc3fcedde0c46f389d3c8203db7b

SHA512
b3f3d32e4bdc7c9344835d44bb845dc50012256e07e0f51572c019600f4caef50ac9c586f6bf639244c33046f0af506b72613c402555b8cea78134b07149ee0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bowy.exe

Filesize
182KB

MD5
174d96733f41da6c16d0da9a1edab774

SHA1
ef17d41258d8654534f1248583362b496d290808

SHA256
d884b497315459d8ccfc8e07f93fc301191273b14fca2f533fc5751956056940

SHA512
9a42e5ad763a2f991ccf18d29e02c3b96f74b9aed643cd6eb4a2900ac2f7322a33963cc01c4281194eeea3ba41a9e75e098d74d259bff520673cca3859df98c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWAkAYcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUkS.exe

Filesize
182KB

MD5
34154efd5eee3fa644a2c286cfb6bcf9

SHA1
bf527a535444d3b793a242a6c1fa79697e698a96

SHA256
4312c16711d6703b4224fae0d294ffa9405caed7b41027d5236660bd1667fd5d

SHA512
ec90abe47063e8a7eab7b9a453d2a2dde46bd1e5baf7d12ebff37126d66d095e03aaf76681f7aee98b79bd0e0fc23360382ebd2ee9a4f919d96565ae469a7f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecQI.exe

Filesize
181KB

MD5
efa06f5163afbc2e872ecf40683b6e0a

SHA1
87401a5136ed1223da8892a170ad1b798a785bf8

SHA256
52ba9d9cd1d4e6660be416647cf2fafc11d5c5e9667d24fce2cef6928d882100

SHA512
b0769446c1dd39c984eb84158d6907f18e1f9d38ed606d5fb4abe906b45da9e4804ecf590b1d39a19efbd6ce6f7a760706ca691b75a6ae64991a95c4dc674177

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewcc.exe

Filesize
629KB

MD5
f87dc7df98ffbc854037ac5d15edc108

SHA1
d47d7202b5dfed3e59be7edd6802d9445f17d2b6

SHA256
3b916070c68290e08cab9f205553df6bed4ef0cf2818487d1ba91cad3601aff7

SHA512
2bba9e09c1705d750d5284ca8ff6e459c2193f316bf9d7c23037e79c54ab3c956208ee8aaeec06c9ca299759bec1c19a9a6b4f5c85cc3e23fe45e170d333e817

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIoA.exe

Filesize
201KB

MD5
4a2581ed96f181767b95a2bb6bf0a385

SHA1
e509fde333eb7fe656c3476cf5ae2863f321815d

SHA256
30b52b77773212b3c5d8f2a033d96e016c649450857b5b74c171a9a764fd3083

SHA512
796cc9a86d8d0119e1f08d5ef721853bbcbddde21499b34af977a72dd606fb87d28ac49be4320854b9b822ea7b2f687d6ddf39f2263a3ec60a2e455a9fb71d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUMU.exe

Filesize
754KB

MD5
c397bc4f846cbd3ed4ebaa2c04ec24dc

SHA1
ae30f3934a9cd648fed6420df810127809f43ff7

SHA256
353ad3ea3d9235a70d1a6bce66f35cf53543981b3a413b55cf9871bb66960029

SHA512
40a08f41c532d7e7183e630fd43e3615e3c2639f17323d978f3c7dabfcc2435df4b1679eaf2d5e3f804a6690828f38f82398d22e0b5f26c2871235dcf5a46e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEIw.exe

Filesize
653KB

MD5
f4b635e05a26ecfba5d0b5373f5bd7a8

SHA1
44b3bd92e3778a39f9dd78c9a63989bcdcbb4f88

SHA256
cf5dfe1d4193b06e0e52505493c27bbdcf52a7f6c9f2e8057931449da7a5b43e

SHA512
ca39c4da55924b6219769a22d74a0b0b3159f0ec9494f90b3e38b643d58a989bc5708983d38f983146e26d0a1af179f44250ff018678421f9835310e21a11a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkQI.exe

Filesize
236KB

MD5
f0ebda56f1444f9eb7b6d59fc30a666f

SHA1
dfa7917f9aa494d10e575cbf1be2890905dd65ff

SHA256
bd9510999de95013fd32f48cf875e8186d8e4330a2b1edf2950ff42cced62401

SHA512
194dd36dee2c6d675b019aa07e5a5ebced4a8f81cb887c98f7849bf84133809ad93f34a47832999af83ee242d539af52f6c824e9dd9b99e1b2b33ee01b09c113

Download Submit
C:\Users\Admin\AppData\Local\Temp\hggk.exe

Filesize
200KB

MD5
7ef13408c5968b6555a85586040e2a85

SHA1
d4fe4ff6727ce0b93bc7c0959efa4eab93eece8f

SHA256
ca4bc905e9163be382712f14864dcb497652e95a3c5ee2429a9bd3e0e94aee48

SHA512
55cdc693afe055bddc9397f581039f09eb376ad4911decc54ff8d70c20e735a3b185f17a79c8aad07d0f4ed6c87d6889751f5f2446c01965a35240a4dff651ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkEC.exe

Filesize
203KB

MD5
f1b81af18b10fa92ae2e132617bbb080

SHA1
fbe7672f6f9f05b13b303fa08d3eeb4a24457f48

SHA256
cd9677fee79c703069fc2f4a1715bf1e496d3d5586792696900074479f11b029

SHA512
808435944affe3a75d57166cc22ad381ff30bd44abb56fee81b8502736e658503ff9d9fd10d65ab24cb0ffd98ee68af3f3a79f741f20b9e491ae721be4eeeace

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMM.exe

Filesize
738KB

MD5
fb343acb32cec25ffa5133b0e601110b

SHA1
cd7f02cd403dcc756f78d11391aa028d53df444f

SHA256
a5f9437a1b3d349357aa252edeba17e9e028fb6a8a786b190b9dba83eb8487f7

SHA512
7bd87f2bc0e870e56db469b1886ad6972e181f0ed4b33e4be44853faf9d6a8c7a50ee5810957b5dd1ec98c95a465c2f44436e95a71de226f79297f5f16d5e347

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMoS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikoM.exe

Filesize
190KB

MD5
39227daf5684bde80c4ad56752f5e518

SHA1
3772481fc8cfd0e91a834cbf5253185212c77c55

SHA256
554c4c5ed3b94f3c22cd7074d47be39eaf72fafe50d2c6701296bbed9dd26f50

SHA512
8592e8090ff44371c0d15a0b011e16d05ea5e8c4ca799e926eaf751792549d274136d6f467b5471452409765c42884a9082875dd63936866e71646369ec6f19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEg.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYoI.exe

Filesize
185KB

MD5
ae4472964432ee43a0376b8fff4b262f

SHA1
bd9c45c6f750f7bf2707539572a4bf5b9066cce4

SHA256
78184cfa34388eedb543df55129aa3d43f97a5d65be0c39522970812b509c999

SHA512
553c1951ab9c69bbc6ac02371f109682dae620949e407e8cf263b3a572065e4ebcc87a8b276dcdb4aba49cf401bc71457b3892b064ffd30b8bd847a6b6c676a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgwW.exe

Filesize
187KB

MD5
eb600f3d762af8335fec0529b1ee68ad

SHA1
ef4711de05870a28a1c6fae91a981f6d7b808228

SHA256
6c98c91eb2a511ce4f7b867eac741f47d3508815c622b63c9d83ec684c1d556a

SHA512
74fd415406ae6bc3e3d0e6e8dc05de9e1f80caa1d4379ca0915b052d26f464af7c4f1ba3478657db53a3ebbfd961641be08d291973377b02156c9128d36d1703

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIE.exe

Filesize
209KB

MD5
a11f3e4805451791f29c06b8677f315d

SHA1
4b0245837ce469861cd9eacfe7cf1a6a813cfbae

SHA256
8f878edd580418e6e27cc676fff43e5f75108325b5c2e02cc98e9bf8bd738285

SHA512
e717139b999197b32814506c90c2e7d23a8629eb2536bea9d43958684a996961889ba6bdb8bce6673944375ddff4a5c8341f20c4f1d1ef767e3a4c061a1495e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksQg.exe

Filesize
196KB

MD5
55722fe6663060cde070b3b6860ef308

SHA1
068760f5d8458465dcd6c2edf334fdec8948cd31

SHA256
f5685ff267edf94219785de95d9bf8cd155ad99aa31ddf9c41bc6cd92fb4ef0d

SHA512
198a398d176954023ca3d674824f84e37bd92ee156645b58f30eabd3080b65af256a7e00fa82939604569e6539e06ace1314f35c25b20e41f69d3b80a4663d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\kswG.exe

Filesize
204KB

MD5
3d68171cc9a4749b48791e46522788fa

SHA1
08584c988b8d66542109e2efe5c7868da491362b

SHA256
13398b188e5dc9ef705d63ff50134643ae522b2a54565a51eab9ea73f0807f51

SHA512
c7c727197547cc888069ffcf1bb61241fabd9f9110d858abea30f3813a984faa44e733d145f456e11b9c1121d8b08f7033154dacf223f8f731f94c552319611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIMQ.exe

Filesize
628KB

MD5
579e6d387ded0cf92883853953383e78

SHA1
20e6c0107aeb6d0d916f22865c2d097d65096983

SHA256
25a141d0ee7e2d4be66a63f5635c4af4712c1b8ef0533c8575b747d1d592db10

SHA512
b81b2f7eb6cd645b08e9f204a00611a040f5c56427414eb675535cc9b2fa179206a7b83bbaa1135587437ae0e3869d58e6de79ca2bf6cedcd6b3485f11af84a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSIgMQYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYAc.exe

Filesize
616KB

MD5
ae4e57924caad723a1bde40be2c093aa

SHA1
fdd65835b8a10ed22b1becb509776f86e00dedb2

SHA256
af41d0c966faecba200eeb3ab5580b9fc80e219d3c76b979e9447717542552a0

SHA512
cfec7347d2202579d070a1db0458d5b51a437da00ceb96cd84a3557518d6e2f6533c3bed45a280eab87fc5677d90f9b45881246c33eb0c9bf6dbf07f8cb03248

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcwq.exe

Filesize
556KB

MD5
55fb66bc1548f7556466af99fe25fc9e

SHA1
ab5d50104d86a6ed8f9c8132090c87bc99e87b79

SHA256
66d15b607896537ec46161c3b79c3a36eafa19035bffc08f3e01fb646734aa52

SHA512
2b94dba7d2784938a62042a3071d3b4adabd6c5464956aaa6bff7386bce656bc3bb7172e3f6ae794386402c94bb0afffcbcb01d84e0a9dff278d3e741cad50a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lecAQoYc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAMe.exe

Filesize
187KB

MD5
cde07061b9c19a3dc228ddceb3d973bc

SHA1
67bc0c79092dc5e137090dcce0910ff81cdcb1f6

SHA256
0b5ff05e6a314a53bafe594a9e828a50d9828be20316546ba1177a0ad1dbdde2

SHA512
e2bc5397d5733ddad7d8eed5f7646d4db98eed0b3f89593f596c0c36dd8b601824c4de5f3984d3b8084aa16db7c7a604a01bed38f00ff0146b81302974751857

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYkG.exe

Filesize
5.2MB

MD5
ac176b5bb4b2aa0d1c51a21c28a451d3

SHA1
c0689a1bb9bca2a99e9816ce69dedd37eeb62bc3

SHA256
90c7fb383174925cc0ee6713d826d7c5859856049898b64c7ff23146b1e8a86f

SHA512
5eef2308a2ce6ab0397b73deba8d691c76ad7351b96a06d8801286fe9048d39091473c1cb69c27667bc6eb6e351bdcdb9ce622b0795906d91b0925f571da7ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcsa.exe

Filesize
5.9MB

MD5
f6a27b972c330af27754bad614b4dbf4

SHA1
60393bc92a4d15ed523acdff15e30d767bb61d59

SHA256
79d556ed45772b51047e62e3d2c2aeee63bb997d7cb374e4254f45d34fe91dd3

SHA512
a9d3282b1c57b38812cfff9ece2ed5c6fe288ae144d1c9dab479f46d05664eed6b2a4a744cc44e7d9478f2216c5003ffaba4f95d9d9787e800085db6b2ae3df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoY.exe

Filesize
187KB

MD5
66f863fccfafefff2534432a113662e6

SHA1
9da9c005efd3f4447a36dec2a398abeb95ab82f2

SHA256
4a47a4345ae619c5368bd15c23512e23a948d35af50050055d4c8256c1c725f4

SHA512
69687b8ba410adf12cd121b98782aafb014d0ff4397beebd522a763ac2c37c90ffabc97de764853474a3908fb971ce7b1005cb4282032d1066604e629c07e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYEe.exe

Filesize
322KB

MD5
0be028ec21bf9ecd6c20b855b697effd

SHA1
5eecf8df635386499833cfd66a37332c24747da4

SHA256
62a3aca8dd893f8f11652698a524d8df6d2f33084610c373ef2c16d5c6c1ef37

SHA512
7751ffeab53bd2809057adae7534c6155a08a0a169e475773cd84782553cfc4eefd2e77cfbd45f353a6cd7dbcc54eeced25035f398ba58e94e190697cac5e10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYkYEkYQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\noIC.exe

Filesize
218KB

MD5
37ab24616e7d8d7395839051fca2644d

SHA1
d058a68b11801668cd84eefffd7e74d484f760f0

SHA256
c5a92451e9b8a1dde1cd41dc3e43960819e4742232274b8b0c734257b5a3cd30

SHA512
0afb54e7c46022a2ae0fa31b8eb539ba99a243754a29717827902408397034aeeee677f7396653545dda1cbed860133e50389b2c8e58eecf6cd042d676d9b17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEIg.exe

Filesize
194KB

MD5
5f928bdb67ab173a59e0dc2960a5d5d0

SHA1
a903185321a8cd1194335a956c455edb11d85a73

SHA256
6c693ccfaabb923a67cd80f2916d525e7e58f6d495cbe0af57805bfcc971e5f8

SHA512
99febee3d62147c08e8a11752b68ff46c74eda1267615490c1eeb3e1274ed413f2afb338d40e9ada00d6997d030e6457252c7d0eee0b02321e4ee5a80b083cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIQm.exe

Filesize
193KB

MD5
47b6b0e78412514ef9f07468bbce773a

SHA1
7228e66caf8289b23116bcf572854d3a1f6912db

SHA256
a29285510b04e995a5dd5a27f6f3121843fedb4d5bc07e1f8403754e80bbcd64

SHA512
b80dc02f905fdc85b03eac9a83dc35b9cf2920a2350e142ac0c93474c525ca8c462f62c81ff8f12484d658b966f0c4e8d2baf570946e957543ddce7768a2c8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEYs.exe

Filesize
570KB

MD5
426c6c02d61fb350507d0262fca172e6

SHA1
d912f8ccf396ef8db132e70ee163c519df0e4e71

SHA256
b61b79e579690b583ea626502ef5db7ed209d05769ce659cfd37b8cdc9facbed

SHA512
96909e279f9a7fdf894b66c519649208054b8f66227bcd809a55fde15d733149a83044d079c4ed77f2f072b0973b13df8541a89930fde0d1a28a14cef10dfaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYgC.exe

Filesize
195KB

MD5
e79c4076b3f4f051b2c6a71e2213d15e

SHA1
d7dc468cde0ffd6586e36e49d1a479e9b6ab8553

SHA256
e74b3e541d997fe331113497fe25e59e48b368715eb9ffabbaa2a6c3630fe877

SHA512
cc4ae4962a4070b2ea3b81cea54960ec985d66fe930792039b01fb61ed7a673f879e8699dffa8dcbf2f5878cc18da92ef6379a5f1e2ff861e4be32b3dec4f20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pegUkMEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYm.exe

Filesize
740KB

MD5
d888c9e4c1ed22b8501739d73aba4855

SHA1
855c63305837daf4523d1c9e0b220ed4d240fa79

SHA256
8a26462aa9b9ee316f27fb7032f6cc9101605dee4dba11f61004b79452ec4d53

SHA512
87b7170a47a025cd76a26071e532e7e03416589267104288ddb30f332b81b15e808ec4ce65db0a2c895b618505a729225d346d91dfae45ed06979163b615029b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qggQkIQc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwQA.exe

Filesize
1.8MB

MD5
7e3110b1ecc65f2792b5e4fb7d91f5c5

SHA1
70cff5b1ad51df8c03902132ddd3ea560100d75c

SHA256
f6f27f814cbe860a122228310894573aa2739eedeb20e7c9961b64f6d7d2a5e3

SHA512
47d2de1a87be9cebf9d39be4a4877f3d807c34cf201d36c9b8a9f888a474620056dea1b2704bfc4c2c2a0847e80f860da26992c868b350caaf8c69fe4f4dc3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCwoswYQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\roAO.exe

Filesize
191KB

MD5
494a1e84c0fc770f5eae9626aee373df

SHA1
b089215208e1531947dd03083ded930cc7c05036

SHA256
301bfb6cb7976f8082c33a484ee37f2516421145ea77c71edf74ba504fac9f27

SHA512
e897083e2e2ed85f66567df6276600db7774ac4fe579d115e4050327b2d4fd427f93b328fbb397605c1e4af682b2be2f2be1d90eef51eb3cec20650dd5486661

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwUM.exe

Filesize
190KB

MD5
5d6833be19b7342a21c2469009b1a255

SHA1
18509b159a2c93db0ac903af904735333aeaa304

SHA256
adeb9cdad5e2dd0dbcb1262dc1096673bd2a719fb15262a8a286a76beb85111b

SHA512
ca3879e4968bee7f1900d633970cdead118896ba8a15844264d32b944e4a1dc038e70412f7db06e16649c97c374afe61c96abac7309601559f825406f280be69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssIoAMoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssca.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIUM.exe

Filesize
832KB

MD5
17ca29537f23d05b200e75a360353fa4

SHA1
d63538375f725bbba432b07451586c2abb5b3520

SHA256
b8166dbbb7eb454a0c09e5df566e1591ffb3929607c5e6a96f2f97c3f3304877

SHA512
c4320592a6e8d103d094682d1bd3d35f0822f937d735712714a0b5e10e2a5f5b6c4ba5115481bd9c382bc7837672298f68bffe0ee5385fe90a29bb7add88a4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIsMoIUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIsMoIUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQYm.exe

Filesize
5.9MB

MD5
9d626a041caa0c52ff96c2d2e3c1cc75

SHA1
d458d472840494df27b517c6c0a52bc80013cf36

SHA256
4830c0b83f0d1cdef98d2531ad21dd6557fcdfea813eec6069f2882c45044a4b

SHA512
e2e068fd7bb2f8f2d32a5e92170f4332d2bda8d7b40c5f51a9cee9c804d90ecc079a989806833fe331909367236e471591368baca194270ce86d0a90e26c8a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsoq.exe

Filesize
207KB

MD5
09a7b43a19094b8271ae86842ecb1e89

SHA1
248cb3d68689ac09bf7dec0b1778eb717d806fe1

SHA256
474dff8845b7a2453cd99178b9f604f34d3e0915aa7f348f6ae905063cbc508c

SHA512
98490dcb0a9c65885cfbe7d2f7eadab0a790e4c3f27bcbd7ead7a107107a27513c9988b46c9f4c88927e5e2bdf41f1706bd3386ba97d3747d99099d6efbe98e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIEE.exe

Filesize
216KB

MD5
733a02bc80f74a4e937e3b5ca1d59db5

SHA1
eed74998b64dc6780534e80b50c92508dfdb9d28

SHA256
f0580f888e6a1b639157ac245d603ddb0ae1301e6b954d63f9568e05834938e0

SHA512
16b4c40b6413e0fb7d15e4d00cc0425fd631144d6101529ba11bae1e38744cacb172d27536e50ec7249aaf5a349df7db6cccbafdfa79021c340c52fc0cee9630

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIMg.exe

Filesize
203KB

MD5
8ac77f57d7d8d03f1a189664ce4da686

SHA1
85df1e4bdc8e153a9b401830e209584ce93db339

SHA256
c20622a5180b49a94c1b6175c2463a6dd05ea5a79e0e10d1dd0113580c994ae5

SHA512
16efe1963638ef6a1e9d5a818a2612fbbd06949f3beb9cece647d2baaf7cfe9ed57f3f4a807028caad9f96182818420d63a9c49c14f2f8a4e8e65a1217166963

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWEUIMEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYkQ.exe

Filesize
188KB

MD5
c881e1e6fb7d76ce33d7a37dab33a63d

SHA1
bdc7c796f1ab363392279e78178cf80afdc90bd0

SHA256
91f2166234ac910c78de25f657b63976a120181b693ac696df7bc2516bd38b3a

SHA512
3232081703c16951e860337b8c9517d152e4a384bf6d74c57d13963a7dcee7bd71616a58f0d3895ac8b2763ae3590edc1b9f468baeb1be406897804443f6552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYoA.exe

Filesize
881KB

MD5
69db9b701d0ea708cfdaa88d7ff846ac

SHA1
ae04510568ec34e2503c02f551cbb8a3f4af00da

SHA256
a6c6b93500d4ea2d5563f4951bbce74ee7c8cc5cd76cb2409eab06113d89dbd8

SHA512
7540f99d60382e7353655a6f10939aa10ee592dea2d24be07a8cc9c0cd2359b73d7724b4d8dbc3384960c48325ae5e82e67100952f887b16cd58c787c88c7e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\woEe.exe

Filesize
189KB

MD5
fc263f5aa44e12d03dfec9f1eacf3cd5

SHA1
9348c5e93e278a8f26d1c77ed66cb187208af16b

SHA256
ebdcaada6cef8088056b945bb57bff141b2a054834760596c3f49d2f07b41fbd

SHA512
7c73afc588cb5a124b211592e61104d243abdaf5933b651238484e6244eea6c83f2e9e33122b1252b783d47d3402d0cc117568e7396f24874ca687a8e79d6ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\woww.exe

Filesize
1.0MB

MD5
f3de2153b874a82e13b0e429f0f209ea

SHA1
768baaa10649078ffda407aa114128b42a8587ca

SHA256
1eabc8e34e5ff0f4fcf90d25dc847f7c8fb597eba32fdfe9d5d6dacaee17d970

SHA512
ccc31dcf306ebdb854dd02ed8402c84b6b783e74e51410f793e719174fb397e7b0cdbc1c41bccccb94cdd600b3623757cd941bb5f047526234af1abd920de64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwAU.exe

Filesize
262KB

MD5
03b397df5fe19c9e4780a9c73553e8cd

SHA1
af686a01f14957c59da77ae9ac0082c4c793f45e

SHA256
b18ab62f6f11463871a8cc9ff6bc283630560a578b8de05e8716b24fe89e3993

SHA512
5ec85eb54669ee1d31dc114966a995d5de25a1166680eebd9f378151bb5886d6a12ce4e4a7783a7e2878639e42623a0cb89510b2e7907b7771e2ff19d52874b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwUM.exe

Filesize
202KB

MD5
23391b233d75841ce413b88eac5ca928

SHA1
1579d559b4936751aa53cb75114eb8567b8365da

SHA256
6f6213ca9bbbce82970edb40aea642d3ed995a80dc895c565ee6783793443c42

SHA512
0113f107901bc04d0270ee823ee7fbbb8fc5bc39c7125b9fd2bda2e1fead289bbd53db398ebda972e1becd05b69144d020b251306858ceea9c3c2dd2bff25816

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEwEIEUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMMS.exe

Filesize
224KB

MD5
fcaf757605ae51180a4ca6bfd2f977c2

SHA1
cc6153c83ce2fad84b96a433fdba15413f5ff3af

SHA256
6ee09e4d2aebf51a42eb878a1948eecf3dbab0b7940fd6092cc7c7215e829917

SHA512
a2f9095511a41a2398ad74b9449daa82ff99626b5e16127f64e6fedbb0acf39d9bbf61833a4f85e3a7c35936a39603a7721f7ff9dcbe484e426d3f3e65dd53d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsEQ.exe

Filesize
189KB

MD5
92b5d9c91493ee3d560d8139223dcd45

SHA1
5723a9416ecd290789ab372e28f686143a0efed3

SHA256
5a99336c9a7ededcb9e45651d26f9c6fa80ddac2b1175ed87c07eaf1850eae80

SHA512
d025a408457136d7729bc3d2b88aa520fd2ee240e16f6b20bf28632a47cd3c2ab101c54c5093e90666a8a3b55bc72c00e4fa75df999d3389f464f36544aa8bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqkAYsMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAga.exe

Filesize
183KB

MD5
26383a26467fcecf6769efa05e76574a

SHA1
2c13cdb45e1eb77d81a3ca29c2b2ffc7a0694f52

SHA256
6d36b054bf80bbb6e50f1bdecf06247dca0f4ac5a4791b2e99f07d31915ead88

SHA512
59338c33e7bdcee64740c5184cf9990fc7645a7240dcd5a762a20c7ac9d99cec294f60e1e915cc471307acf11356c8700ea0d207ace662b88e51ac1547cc441c

Download Submit
C:\Users\Admin\tsgkcgkw\WQcIgUIM.exe

Filesize
201KB

MD5
271ebd4d0579cfd9ee6c9682cb8c4e11

SHA1
99c7929062286be235a928aac25401d80721b476

SHA256
52520ecf7f81da98c3f67389f9ddba067e886c225fda4cada6a0eda551d73b9e

SHA512
c157afc9dae103ed72b62ce1e8d84165c1419d34bde9f0d4e67fd3e2bbbdaeeb77abe51ee2f3f2dfb77f518093f451555d571a56656d3eed3fa6e824c979268b

Download Submit
C:\Users\Admin\tsgkcgkw\WQcIgUIM.exe

Filesize
201KB

MD5
271ebd4d0579cfd9ee6c9682cb8c4e11

SHA1
99c7929062286be235a928aac25401d80721b476

SHA256
52520ecf7f81da98c3f67389f9ddba067e886c225fda4cada6a0eda551d73b9e

SHA512
c157afc9dae103ed72b62ce1e8d84165c1419d34bde9f0d4e67fd3e2bbbdaeeb77abe51ee2f3f2dfb77f518093f451555d571a56656d3eed3fa6e824c979268b

Download Submit
C:\Users\Admin\tsgkcgkw\WQcIgUIM.inf

Filesize
4B

MD5
41aca6abf3b850bd8113ca059064750d

SHA1
556483ff8be4e74ae61b96a3cb2293e5b2d33b3a

SHA256
a91b50d46777c73cbee94265688dec910ed109c76551849234f721c97666c101

SHA512
3e78f1f09cfd386366e70a8162f6250304a098cd5d835a39dd66d815084acf0e358828aedce68dee73f3d566e23b1a91da6790a5bdb0e673c8f44bf5c7cfd05d

Download Submit
memory/116-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/436-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/700-177-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/824-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/964-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/964-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-465-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-600-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1892-625-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-608-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-609-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-617-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3136-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3136-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3392-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3760-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4108-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-632-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download