1fbfc0b007a6e3e6d21635f4fc6862f73193a94eb54ca6561eb8de30ede2b155

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cdfaad20cdf58exeexeexeex.exe
Size

334KB
MD5

5cdfaad20cdf5895477b8dd451a38b76
SHA1

f59d1bc399d988d5d5169e7df09b8e57589c1127
SHA256

1fbfc0b007a6e3e6d21635f4fc6862f73193a94eb54ca6561eb8de30ede2b155
SHA512

78229d6cd0432671aa91a770a95b97691376d1283a6ad4be59cb01eb439e987eb87f341405fe54889f6e2957fe874c6940d53ade0dcaf0be7698a634b86828d1
SSDEEP

6144:lv3XLrZ99999999999999X99999999999999X99999999999999X99999999999j:NnLrZ99999999999999X99999999999D

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
40	5092	cscript.exe
43	5092	cscript.exe
47	5092	cscript.exe
48	5092	cscript.exe
50	5092	cscript.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\LimitCompare.png.exe	miogkgAA.exe
File created	C:\Users\Admin\Pictures\RestoreBackup.png.exe	miogkgAA.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	miogkgAA.exe

Executes dropped EXE 2 IoCs

pid	Process
3092	miogkgAA.exe
456	BAAAgIQo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miogkgAA.exe = "C:\\Users\\Admin\\oqQAAYYw\\miogkgAA.exe"	5cdfaad20cdf58exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BAAAgIQo.exe = "C:\\ProgramData\\DMcMcIAY\\BAAAgIQo.exe"	5cdfaad20cdf58exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BAAAgIQo.exe = "C:\\ProgramData\\DMcMcIAY\\BAAAgIQo.exe"	BAAAgIQo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miogkgAA.exe = "C:\\Users\\Admin\\oqQAAYYw\\miogkgAA.exe"	miogkgAA.exe

Checks whether UAC is enabled 1 TTPs 56 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5cdfaad20cdf58exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5cdfaad20cdf58exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5cdfaad20cdf58exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5cdfaad20cdf58exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	miogkgAA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4720	reg.exe
3688	reg.exe
2140	reg.exe
2684	reg.exe
4748	reg.exe
4856	Process not Found
2036	reg.exe
5060	reg.exe
3344	reg.exe
672	reg.exe
2684	reg.exe
5108	reg.exe
4384	reg.exe
1484	reg.exe
2720	reg.exe
1836	reg.exe
1020	reg.exe
4444	reg.exe
3200	reg.exe
4368	reg.exe
2740	reg.exe
3948	reg.exe
1196	reg.exe
3500	reg.exe
1720	reg.exe
3508	reg.exe
4688	reg.exe
1520	reg.exe
1596	reg.exe
3120	reg.exe
2240	reg.exe
3620	reg.exe
4444	reg.exe
2240	reg.exe
3348	reg.exe
1268	reg.exe
936	reg.exe
2112	reg.exe
1192	reg.exe
1680	reg.exe
1068	reg.exe
916	reg.exe
3256	reg.exe
752	reg.exe
3284	reg.exe
1348	reg.exe
4020	reg.exe
988	reg.exe
4752	reg.exe
4020	reg.exe
4648	Process not Found
2140	reg.exe
960	reg.exe
4060	reg.exe
4116	reg.exe
2340	reg.exe
2900	Process not Found
5004	reg.exe
1388	reg.exe
4860	reg.exe
3872	reg.exe
4948	reg.exe
3348	reg.exe
2320	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1332	5cdfaad20cdf58exeexeexeex.exe
1332	5cdfaad20cdf58exeexeexeex.exe
1332	5cdfaad20cdf58exeexeexeex.exe
1332	5cdfaad20cdf58exeexeexeex.exe
2980	5cdfaad20cdf58exeexeexeex.exe
2980	5cdfaad20cdf58exeexeexeex.exe
2980	5cdfaad20cdf58exeexeexeex.exe
2980	5cdfaad20cdf58exeexeexeex.exe
2716	5cdfaad20cdf58exeexeexeex.exe
2716	5cdfaad20cdf58exeexeexeex.exe
2716	5cdfaad20cdf58exeexeexeex.exe
2716	5cdfaad20cdf58exeexeexeex.exe
2548	5cdfaad20cdf58exeexeexeex.exe
2548	5cdfaad20cdf58exeexeexeex.exe
2548	5cdfaad20cdf58exeexeexeex.exe
2548	5cdfaad20cdf58exeexeexeex.exe
4144	Process not Found
4144	Process not Found
4144	Process not Found
4144	Process not Found
4984	Conhost.exe
4984	Conhost.exe
4984	Conhost.exe
4984	Conhost.exe
2340	reg.exe
2340	reg.exe
2340	reg.exe
2340	reg.exe
4676	5cdfaad20cdf58exeexeexeex.exe
4676	5cdfaad20cdf58exeexeexeex.exe
4676	5cdfaad20cdf58exeexeexeex.exe
4676	5cdfaad20cdf58exeexeexeex.exe
3584	5cdfaad20cdf58exeexeexeex.exe
3584	5cdfaad20cdf58exeexeexeex.exe
3584	5cdfaad20cdf58exeexeexeex.exe
3584	5cdfaad20cdf58exeexeexeex.exe
3688	5cdfaad20cdf58exeexeexeex.exe
3688	5cdfaad20cdf58exeexeexeex.exe
3688	5cdfaad20cdf58exeexeexeex.exe
3688	5cdfaad20cdf58exeexeexeex.exe
1556	Process not Found
1556	Process not Found
1556	Process not Found
1556	Process not Found
3760	5cdfaad20cdf58exeexeexeex.exe
3760	5cdfaad20cdf58exeexeexeex.exe
3760	5cdfaad20cdf58exeexeexeex.exe
3760	5cdfaad20cdf58exeexeexeex.exe
1192	Conhost.exe
1192	Conhost.exe
1192	Conhost.exe
1192	Conhost.exe
4872	reg.exe
4872	reg.exe
4872	reg.exe
4872	reg.exe
3188	reg.exe
3188	reg.exe
3188	reg.exe
3188	reg.exe
4952	reg.exe
4952	reg.exe
4952	reg.exe
4952	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	miogkgAA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe
3092	miogkgAA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 3092	1332	5cdfaad20cdf58exeexeexeex.exe	85
PID 1332 wrote to memory of 3092	1332	5cdfaad20cdf58exeexeexeex.exe	85
PID 1332 wrote to memory of 3092	1332	5cdfaad20cdf58exeexeexeex.exe	85
PID 1332 wrote to memory of 456	1332	5cdfaad20cdf58exeexeexeex.exe	86
PID 1332 wrote to memory of 456	1332	5cdfaad20cdf58exeexeexeex.exe	86
PID 1332 wrote to memory of 456	1332	5cdfaad20cdf58exeexeexeex.exe	86
PID 1332 wrote to memory of 3524	1332	5cdfaad20cdf58exeexeexeex.exe	88
PID 1332 wrote to memory of 3524	1332	5cdfaad20cdf58exeexeexeex.exe	88
PID 1332 wrote to memory of 3524	1332	5cdfaad20cdf58exeexeexeex.exe	88
PID 1332 wrote to memory of 5000	1332	5cdfaad20cdf58exeexeexeex.exe	90
PID 1332 wrote to memory of 5000	1332	5cdfaad20cdf58exeexeexeex.exe	90
PID 1332 wrote to memory of 5000	1332	5cdfaad20cdf58exeexeexeex.exe	90
PID 1332 wrote to memory of 4424	1332	5cdfaad20cdf58exeexeexeex.exe	89
PID 1332 wrote to memory of 4424	1332	5cdfaad20cdf58exeexeexeex.exe	89
PID 1332 wrote to memory of 4424	1332	5cdfaad20cdf58exeexeexeex.exe	89
PID 1332 wrote to memory of 4324	1332	5cdfaad20cdf58exeexeexeex.exe	91
PID 1332 wrote to memory of 4324	1332	5cdfaad20cdf58exeexeexeex.exe	91
PID 1332 wrote to memory of 4324	1332	5cdfaad20cdf58exeexeexeex.exe	91
PID 1332 wrote to memory of 1080	1332	5cdfaad20cdf58exeexeexeex.exe	92
PID 1332 wrote to memory of 1080	1332	5cdfaad20cdf58exeexeexeex.exe	92
PID 1332 wrote to memory of 1080	1332	5cdfaad20cdf58exeexeexeex.exe	92
PID 3524 wrote to memory of 2980	3524	cmd.exe	96
PID 3524 wrote to memory of 2980	3524	cmd.exe	96
PID 3524 wrote to memory of 2980	3524	cmd.exe	96
PID 2980 wrote to memory of 108	2980	5cdfaad20cdf58exeexeexeex.exe	98
PID 2980 wrote to memory of 108	2980	5cdfaad20cdf58exeexeexeex.exe	98
PID 2980 wrote to memory of 108	2980	5cdfaad20cdf58exeexeexeex.exe	98
PID 1080 wrote to memory of 208	1080	cmd.exe	100
PID 1080 wrote to memory of 208	1080	cmd.exe	100
PID 1080 wrote to memory of 208	1080	cmd.exe	100
PID 2980 wrote to memory of 1636	2980	5cdfaad20cdf58exeexeexeex.exe	102
PID 2980 wrote to memory of 1636	2980	5cdfaad20cdf58exeexeexeex.exe	102
PID 2980 wrote to memory of 1636	2980	5cdfaad20cdf58exeexeexeex.exe	102
PID 2980 wrote to memory of 4612	2980	5cdfaad20cdf58exeexeexeex.exe	101
PID 2980 wrote to memory of 4612	2980	5cdfaad20cdf58exeexeexeex.exe	101
PID 2980 wrote to memory of 4612	2980	5cdfaad20cdf58exeexeexeex.exe	101
PID 2980 wrote to memory of 3684	2980	5cdfaad20cdf58exeexeexeex.exe	103
PID 2980 wrote to memory of 3684	2980	5cdfaad20cdf58exeexeexeex.exe	103
PID 2980 wrote to memory of 3684	2980	5cdfaad20cdf58exeexeexeex.exe	103
PID 2980 wrote to memory of 4848	2980	5cdfaad20cdf58exeexeexeex.exe	104
PID 2980 wrote to memory of 4848	2980	5cdfaad20cdf58exeexeexeex.exe	104
PID 2980 wrote to memory of 4848	2980	5cdfaad20cdf58exeexeexeex.exe	104
PID 108 wrote to memory of 2716	108	cmd.exe	109
PID 108 wrote to memory of 2716	108	cmd.exe	109
PID 108 wrote to memory of 2716	108	cmd.exe	109
PID 4848 wrote to memory of 4680	4848	cmd.exe	110
PID 4848 wrote to memory of 4680	4848	cmd.exe	110
PID 4848 wrote to memory of 4680	4848	cmd.exe	110
PID 2716 wrote to memory of 2864	2716	5cdfaad20cdf58exeexeexeex.exe	111
PID 2716 wrote to memory of 2864	2716	5cdfaad20cdf58exeexeexeex.exe	111
PID 2716 wrote to memory of 2864	2716	5cdfaad20cdf58exeexeexeex.exe	111
PID 2716 wrote to memory of 3172	2716	5cdfaad20cdf58exeexeexeex.exe	116
PID 2716 wrote to memory of 3172	2716	5cdfaad20cdf58exeexeexeex.exe	116
PID 2716 wrote to memory of 3172	2716	5cdfaad20cdf58exeexeexeex.exe	116
PID 2716 wrote to memory of 4320	2716	5cdfaad20cdf58exeexeexeex.exe	115
PID 2716 wrote to memory of 4320	2716	5cdfaad20cdf58exeexeexeex.exe	115
PID 2716 wrote to memory of 4320	2716	5cdfaad20cdf58exeexeexeex.exe	115
PID 2716 wrote to memory of 4384	2716	5cdfaad20cdf58exeexeexeex.exe	114
PID 2716 wrote to memory of 4384	2716	5cdfaad20cdf58exeexeexeex.exe	114
PID 2716 wrote to memory of 4384	2716	5cdfaad20cdf58exeexeexeex.exe	114
PID 2716 wrote to memory of 852	2716	5cdfaad20cdf58exeexeexeex.exe	175
PID 2716 wrote to memory of 852	2716	5cdfaad20cdf58exeexeexeex.exe	175
PID 2716 wrote to memory of 852	2716	5cdfaad20cdf58exeexeexeex.exe	175
PID 2864 wrote to memory of 2548	2864	cmd.exe	121

System policy modification 1 TTPs 56 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5cdfaad20cdf58exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5cdfaad20cdf58exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5cdfaad20cdf58exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5cdfaad20cdf58exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe

C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\oqQAAYYw\miogkgAA.exe
  "C:\Users\Admin\oqQAAYYw\miogkgAA.exe"
  2⤵
  - Modifies extensions of user files
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3092
- C:\ProgramData\DMcMcIAY\BAAAgIQo.exe
  "C:\ProgramData\DMcMcIAY\BAAAgIQo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:108
    - - C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        8⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        9⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        10⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        11⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        12⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        13⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        14⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        16⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        18⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        20⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        21⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        22⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        24⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        25⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        26⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        27⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        28⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        29⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        30⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        31⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        32⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        33⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        34⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        35⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        36⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        37⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        38⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        39⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        40⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        41⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        42⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        43⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        44⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        45⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        46⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        47⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        48⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        49⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        50⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        51⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        52⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        53⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        54⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        55⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        56⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        57⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        58⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        60⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        61⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        62⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        63⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        64⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        66⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        67⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        68⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        69⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        70⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        71⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        72⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        73⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        74⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        75⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        76⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        77⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        78⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        79⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        80⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        81⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        82⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        UAC bypass
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        83⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        84⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        85⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        86⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        87⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        88⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        89⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        90⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        91⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        92⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        93⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        94⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        96⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        97⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        98⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        99⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        100⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        101⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        102⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        103⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        104⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        105⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        106⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        107⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        108⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        109⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        111⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        112⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        113⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        114⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        115⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        116⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        117⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        118⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        119⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        120⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        121⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        122⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        123⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        124⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        125⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        126⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        127⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        128⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        129⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        130⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        131⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        132⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        133⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        134⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        135⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        136⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        137⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        138⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        139⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        140⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        141⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        142⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        143⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        144⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        145⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        146⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        147⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        148⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        149⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        150⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        151⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        152⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        153⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        154⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        155⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        156⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        157⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        158⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        159⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        160⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        161⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        162⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        163⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        164⤵
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        165⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        166⤵
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        167⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        168⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        169⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        170⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        171⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        172⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        173⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        174⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        175⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        176⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        177⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        178⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        179⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        180⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        181⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        182⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        183⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        184⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        185⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        186⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        187⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        188⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        189⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        190⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        191⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        192⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        193⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        194⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        195⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        196⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        197⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        198⤵
        
        PID:900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        199⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        200⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        201⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        202⤵
        
        PID:2784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        203⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        204⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        205⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        206⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        207⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        208⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        209⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        210⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        211⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        212⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        213⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        214⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        215⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        216⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        217⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        219⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        220⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        221⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        222⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        223⤵
        Modifies visibility of file extensions in Explorer
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        224⤵
        
        PID:892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        225⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        226⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        227⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        228⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        229⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        230⤵
        
        PID:496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        231⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        232⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        233⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        234⤵
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        235⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        236⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        237⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        238⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        UAC bypass
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        239⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        240⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        241⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        242⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        243⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        244⤵
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        UAC bypass
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        245⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        246⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        247⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        248⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        249⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        250⤵
        
        PID:4264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        251⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        252⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex
        253⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex"
        254⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        UAC bypass
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEYksIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        252⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUUMcAcg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        250⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyogYowY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TessMcwk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        246⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REcokoYc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        244⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies registry key
        
        PID:3500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        UAC bypass
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYoEwsgM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        242⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAwEEEcM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        240⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        UAC bypass
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgkQUYUU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        238⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSYUkEck.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        236⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XskwAAsY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        234⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEYsYAwY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        232⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiAYMsoU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        230⤵
        
        PID:1636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        Modifies visibility of file extensions in Explorer
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQAkYoMg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        228⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iscgIYYI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        226⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWQkQcsI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        224⤵
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuUMgAAM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        222⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmQoIUgc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        220⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsYwcEIU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igsoYcUA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        216⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwoEYcsY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        214⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        UAC bypass
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWwwwsYc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        212⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PakgcYoc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        210⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        UAC bypass
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAwsQgUc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        208⤵
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xasUYckE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        206⤵
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duEwksEI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        204⤵
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        UAC bypass
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOIIccwE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        202⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGMksUIA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        200⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIssMQYE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        198⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgwsEowg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        196⤵
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        Blocklisted process makes network request
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcUQIQsk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        194⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcsMUMgk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        192⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAMwMcEg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        190⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        UAC bypass
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOMwgoMc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        188⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rasQAcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        186⤵
        
        PID:1468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUkwQosk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        184⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIwAoAQM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        182⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMQoMwcs.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        180⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEckAogo.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        178⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWokEwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        176⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        UAC bypass
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        UAC bypass
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAEAUMww.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        174⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMUMUwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        172⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAksoUog.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        170⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oewMMMMI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        168⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOoIkscg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        166⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMYsUUEE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        164⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsEIoIYU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        162⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYgUEowg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        160⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAYAcwEo.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        158⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgcscksY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        156⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyswAAYw.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        154⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMwIwQoY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        152⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSosAcIE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        150⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmUwEYMI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        148⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkkEMUgU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        146⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOgcAMgA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        144⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkEYkAUo.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        142⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwcEYUog.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        140⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        UAC bypass
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSkIQokc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        138⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYIQEQk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        136⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgUEoUcA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        134⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeAAowQU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        132⤵
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgUoowUw.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        130⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcoYkkYE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        128⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiQQgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        126⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYocEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        124⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYEoEkkM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        122⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOgAgowk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        120⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYQEYQUg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        118⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEUscEkc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        116⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycoUQkUM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        114⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqggwYUs.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        112⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocIssIQc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        110⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWIkgoAs.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        108⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsAsAYsI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        106⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmgsccQM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        104⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmMYwccI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        102⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EewAoIUI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        100⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWIYAUQU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        98⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoMUMYoU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        96⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKAsQYUY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        94⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGUQsMgo.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        92⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKQEYUYw.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        90⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOgAkQwI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOwQwQkU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        86⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkEgEcEA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        84⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIgEcUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        82⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMkwwUQE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        80⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqwskcYA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        78⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwMIAoME.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        76⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaAswsUw.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        74⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygQgIsgY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        72⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYMEwQkM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        70⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQUsEoIA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        68⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMAAMcwE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        66⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcgcIQgM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        64⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcgEYEwM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        62⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuoAYYog.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        60⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGcIYcwc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        58⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaokAIsw.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        56⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwMkIwwM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        54⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seYwAsIY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        52⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWkcsIUo.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        50⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqgcggAQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUQgkkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        46⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCckUEoM.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        44⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoIkwQoY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        42⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiIoMggQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        40⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYwwIUgE.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        38⤵
        
        PID:2492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQsQcAkA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        36⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgcgoskY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        34⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQYMQooo.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        32⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIsQwkAs.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        30⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWwYIoUU.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        28⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQMUYsos.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        26⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgwwEsAA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        24⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkAUMcMk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        22⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKcMQAEA.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        20⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAIkkMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        18⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYUswssc.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        16⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEYIYQUs.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        14⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwscgwUk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        12⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\digEgkEk.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyYEkoQg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUskAgEg.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
        6⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1068
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4384
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWYMQggY.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4424
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5000
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\busAQQkI.bat" "C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:824

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
655KB

MD5
ddab10769a783fd9536c1738531a51cc

SHA1
0d9c9975aba7617e61261f8a747bb88881a0c617

SHA256
2335d1b74300829b15a6ea1946edf7ed421adff16374d0398fb783125da72411

SHA512
1c88dbe1f063e6dc389e3e4f82e3496fd44652ec837b6cbbacf1cea9478a09e4f9031b9e044dd951a4261d5befef085620efbaac7dc4e1dbbbcaa55698355e71

Download Submit
C:\ProgramData\DMcMcIAY\BAAAgIQo.exe

Filesize
187KB

MD5
02f51af09dbcffcb0874c726d6da21b4

SHA1
3fd5e93ba6c5072b791f6ecdd797ade0442142ec

SHA256
f9de1efa6476eddb7c721001dcf0dd8436d3c7246f5ced2be18a73674065d499

SHA512
4cc2cdf091771f60a8a77a8540431ac3a9fbc39434d8f78fd4a4c7abd894ed6567b2e310744006dddfd84f46455f4e97e53f30ff1617a9580dbafa9c632b475f

Download Submit
C:\ProgramData\DMcMcIAY\BAAAgIQo.exe

Filesize
187KB

MD5
02f51af09dbcffcb0874c726d6da21b4

SHA1
3fd5e93ba6c5072b791f6ecdd797ade0442142ec

SHA256
f9de1efa6476eddb7c721001dcf0dd8436d3c7246f5ced2be18a73674065d499

SHA512
4cc2cdf091771f60a8a77a8540431ac3a9fbc39434d8f78fd4a4c7abd894ed6567b2e310744006dddfd84f46455f4e97e53f30ff1617a9580dbafa9c632b475f

Download Submit
C:\ProgramData\DMcMcIAY\BAAAgIQo.inf

Filesize
4B

MD5
0995a167eac79e294daea60364e574f9

SHA1
74f59fffb8edc9f862f6c026184148befa7b032f

SHA256
a56b59221bf8cf3c05a49943433deb3010f1811514e0a009613778aaceda1e28

SHA512
91ab3b4c520eb6515d79c15b55d4cb3c607d2e5545f3ca0dd30c183edf71c1cface3ae49b9d1fba026708a63eb992fffd99f9690492238300b312b30ac7656b1

Download Submit
C:\ProgramData\DMcMcIAY\BAAAgIQo.inf

Filesize
4B

MD5
ac6321dd0d34ee48f596024090840827

SHA1
b60fea97a7495faf636d80a772f4a4a4fdbf8a4a

SHA256
10bca15f0c8cc9f92801afe8fad35a3bff65996a0baf8df0202a1e1eac062268

SHA512
d1f5ffe0625b27eeea00eb730e8f4bf3bb13d1630b8659b31904be9bfa5973b4cac068e4f38b8601a44a6789ef7c330d4b61676f7753c4db2a4410c6e0e1fc24

Download Submit
C:\ProgramData\DMcMcIAY\BAAAgIQo.inf

Filesize
4B

MD5
6c991638cd7aff476142ac0cb12c58d2

SHA1
8f9f48e5e9e170d425201e8319281b54a8bdf741

SHA256
8fc9d07d50e1f4848f782bdb0cf76005c7d086cda5a2cacfcc84b8ab6a758ec0

SHA512
b733ddff031a9d5792c331940c3d359182b006c310f2d53c9f186c9be5cdded5e7ab193c7c50a70f6836677b07473cbc3679f7015ba8939eaf33fb8350042028

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
224KB

MD5
9c0cfea37b4d001c99a7c6cf7b58e23f

SHA1
6d0bbe31a3081aa66cf34000be32ad07349b43cc

SHA256
88e592a28db674655f80adeed84a83a66f6cbc4af8983cfdb7952789f7794954

SHA512
cae8980d9cb7f0d0fbeb1d3d3725d9572cf532c56a50e9a60c81b5065083bdb930c867383f8fe93aa0c76293b55e9bfc67f4d9cacc6c60084ce8ab7ab2927787

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
816KB

MD5
fb6662b8b03bec760951c3de1fc16572

SHA1
e74d285b08f185801e8a2bf1d6b3eb5e1ed3a628

SHA256
fa7d0ebc8c071d5e9a831082d8f30c168ee6a273cea7dd8267ae8d098bf6a49d

SHA512
95477a36157659f87888b481a19aa7f1f62b502673c5429ff5a1b2af0127459553d68dea13e05d404439c27584880c14c7826dcbf4bed7cd38dfb947a3228598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
194KB

MD5
0a624185dfaccdb5c27c0f6789784745

SHA1
705ce9d50ec5ddabd84a36e74a7a1024f1dd182d

SHA256
80ad13a97c854448d8702b5e5efdb11defa3396d8dff592aa063db9d03a32586

SHA512
b4cfdef5973d20b976fb36080587a74d13532d6fefd1631182102e3febee88021a671518fa12f2b539e1c4b3e7c5e3802119645c75156edb3153171ea071260a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
208KB

MD5
339a58557b70143b6c23d7c83a0bc0c1

SHA1
3873fb9a2e192b718deee0cb1d2837575e35f1cd

SHA256
719f81a7b88c7bc1119f4d46afb77fa622b9a3cd3242833263362f0f59cfdda5

SHA512
1401a20b094494a3c91918fdcace19bd14edad31c4711202d80eae99ad888dc2bb93ab83c1ef689911d2e93023b8247b36da7286547125d5729489f8de1750e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
202KB

MD5
ed85933f872c20c758cbcd1ef173421f

SHA1
5a4ca9ff9b269c7931a6592e8f0ecd0f8f44d274

SHA256
a75cd40f10525335f4494f7e0358edb663918e7944abceb1664c46b16c1500c9

SHA512
4e28ae351d1cb18558e3bea6ed10440b9404f24fadf5ecad708229e9b8ff8560006fe47b38d238c3b0ef9089c725b5f47b3564aa001a6e05d5d2a5d22e5cc7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cdfaad20cdf58exeexeexeex

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUcu.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgwm.exe

Filesize
202KB

MD5
e8927fe892aa822bd96d3b4e8bcf9bdb

SHA1
1d78bc72f553259673924db15de1aa449860f438

SHA256
a2989abb57273c55362744ae4f68dc8d3d4c4a690d1b0e55b45b44101f19a9f6

SHA512
2491d303c52de3a238cd0e91aa38825c270320acf6560babcc36d10828f26f3d395fb864eaa499c67df91afdcb4696c92b5611a15a0d0f68f71b83b7f63ea262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dgsk.exe

Filesize
775KB

MD5
ecb08f9e2770c839be429ec4add05ea9

SHA1
9733125d1b2b24db9f1a151c1b998b9f7a03de67

SHA256
e18e5197d0a8e3dc053ba4868aa1f633e562b21fedab3c563a694d339ad1b50d

SHA512
514cefa369db115d05c501e95ff6743c46f8d596226db85d86c9bf148ded6c6e5e782de696d52e8ab3888653e6588032408694f8f58e663ea34223818ca795d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMW.exe

Filesize
415KB

MD5
f04b465d8ea0e65cb991ab3a4b06ae76

SHA1
72b4404c895b2ef1b6396b7af4bc8741323db8ed

SHA256
3f019c915f3ef8ab3222b1702cb4f44941df116cb23f7cf9b237d4532df934e1

SHA512
31a85f1248a2ad2f1043130f2c5bff44ffb8cd26e89c04a6ca8447b2e4e5b4bb920b29db44c81a000e74db39a8281a729d0403ade6125f46320d259aed11fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIUI.exe

Filesize
203KB

MD5
90421f248e1a7c928a65f017c4a56943

SHA1
c37926abb7fd995209e326d53d7bbb10edb8e670

SHA256
f77e7cd8cabacf5547630fe4670b424f027db2c765a63475a58726da80b9a806

SHA512
616ac1bb2e97e7f0edb7736dedfc3b6f0642708611ed16edfa51ccc1276abd84d7858a211ebdeb8ecae90e5bbf61c017e81f6811f2cc9e35385a96af20a4187f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcW.exe

Filesize
208KB

MD5
08c342181206fc084ee700668201c686

SHA1
f207df5be62fafd6a0d98381d28dff71fa9aac11

SHA256
71a20efc984c50c4341805fb7fa41eba03dcef2e2ebd9159de2b458d6308c7c1

SHA512
0019229ddfb4c2756d3600a32383d352735af3d630e2b04aac3e8416b83afd4c4fcd662e4879769bfc6552df6183e5bd2ca234e47d7b64b43da062f3ab112365

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gssi.exe

Filesize
205KB

MD5
daac29796ab708897433b6aabf09592b

SHA1
8cda84e8ccaf58b1df5d4570920ef5a3ec980e00

SHA256
b8172d95d7f07c51f771b25a3dd87df4abccff4b4d81a56ff2488760b37cf0fd

SHA512
7a7e49313d38094397282a4ba3b6101fc0d0509e181880eb9fd38d97841780b39bea06371251c2f075fec8d58665fb8daa46bb9d5290ee9137aa95f8f0bdf3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwoG.exe

Filesize
195KB

MD5
c54490bb9c92a04c9a623334a1fd12bd

SHA1
acf9390d8616a1d258e5e22235a61650b7d17d1f

SHA256
dcc064713aa0672b35636b57afb77c6e370bce77ac2803e7d9fcb89757316b71

SHA512
62a7870032cc171f707492b6878cf09d453a0b40c13c0a19cec2fb3a0aad62787b491c2a2998dcb7e393a8245f91042f0a0b77a536c910c943cf8f3576e2d9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYIC.exe

Filesize
222KB

MD5
a1df29ed94650254550780c4eedf78af

SHA1
f55e59bb79bd82d354d7e1236e5bdf23d711671e

SHA256
cb2ea019bcad548f3e440d09bcf90d8fc46396f71bcdc41e407538f1d3563269

SHA512
43c5cca0a22a6e59b3136eccfadf638d790ede9c5723a49d03214f5bb1ca2ecbfe952e10bc9c068f731d3abe349667d4a65dbc8e230260a870cdb433e7a731a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYMa.exe

Filesize
600KB

MD5
e15ecc54784967d5bc6ed392c065d157

SHA1
742f44e3cdf8cf8585564b30f98e7d7d60d9b621

SHA256
2a4ef1471b62fab4435e8cc451787d5947c159eb1441218711a34368ae23b31a

SHA512
6bcc5a8bb90928b57c3b039b3906eb8f538cddfbfafcf24d006f6dd81b49c42c24daa61b9f01d47a27582bd4c80d3b8824afddd30c5f65740c949c62d30ab0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYQS.exe

Filesize
193KB

MD5
41953a31c645df3f2c099915949acdb2

SHA1
984bad6f0489e9a8ea0c9c29da89bfa9e8f1eb84

SHA256
5b2d5c8a11c09a9f00e747fa07992111f3e5bc6c64e3983cf1b74cb74e6d3d0c

SHA512
7634f758a6160af5e7deb212a64abdfa7f06ce4348345e979a038143c6688d38abc4d0ecd2907e464f2ff861d08cb8f32fc212fb4528490bf48de39a4140e262

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcwO.exe

Filesize
654KB

MD5
2937b19ab9a2333e226fea8afa58212b

SHA1
c89e0592c9cec5f35acb8022fdd6ca2f82a99f07

SHA256
8183b0bd0c51a49614855357d3db0362a6d9620a0e9f7312182f14c0e83d50b2

SHA512
8a12c2faa68dd5f9ef8d6db076613bc36c95285de9082fa5f0b441949ac123d239994c5ff7ab1b2c03a6d3f46d025ed2193beebe6977756bba0364166542c0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIwm.exe

Filesize
193KB

MD5
a0aae154e65be5dbc489f57829d5d2b1

SHA1
fcea4965f8f00c762d0d4fd23d0de644b4882aaf

SHA256
0d75e7d49236d7985b5f7ec8095d8ab7e39b46002ade469eaf11e2b083211555

SHA512
999f80b30afadceca193615a51cc3d48396a8bb267f47312a4ae4a88967275ec1701f37c6d10f913899cb0a2db036fdf74936e104ca1059f41b152e9fe0acd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQII.exe

Filesize
212KB

MD5
c72bfec6a19ba24718b612b93bb16cae

SHA1
fa9f93aa3e2cc59817469c7379215fe27eec4887

SHA256
9acf8e41b8d55afa955e0a810cb61c6a43fc31cd318ec5cf97ce4a13ae6d8e4c

SHA512
5c691c7a4791b31e41e78a819c21ac5ee79f716cbd26ad76d4f203e32ae13362c19c6deaa054f4eaccc22aab02b74e1935bc10ecb622acf9aa11634eed69e40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIK.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAAC.exe

Filesize
229KB

MD5
a03b700a1b20eedefe031d5ee13bb417

SHA1
b78ce895ec7645490d268bc499dcf0a102227fb4

SHA256
37f5e878b13f4e12145b70f91562d739cb0f049fe569dc69793b9e90347aed43

SHA512
ec6cb356d70e85aedddceb324690a0102a4231d6535e474b1c758eac85e1b87ef1fbf20b03efe48a2396b12904c0de0ed206f1a133536d50fa9e91297af92008

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMEY.exe

Filesize
399KB

MD5
d4e1ae8f957c1b8dc38782741f1a9001

SHA1
524ff4673b6e3e2157a7b96bec1b06ac53b43019

SHA256
72d33ff38cd75108e7fa95dc11c4a483b62510bbcadd03fb4c1939d0253dd232

SHA512
3ff987f00b788c80ad36dccc5f2f11a8cd7fb71267f387b0328bc3ba317af2e79cf4b5fc7708cbb6c3c08e257bf5eb8a112c71757cadc888d85c7e966264adc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUAs.exe

Filesize
205KB

MD5
76086def594581d0efca3979b78766a6

SHA1
58985c902ef252c755941da1deb462a8fcbfe449

SHA256
3ee2653c128e862672c8e575ec022e21e2200635c0f463622ab838cefb56d525

SHA512
1ad3e8dade93fc6dcd98ff37bf6aae4929363cfa3fb352ec4a6376f533daa3c624ad7f8cc43382ba22c64016acf95f0878caef4ad8e6b0e0ed9dcfeadbd648fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoIi.exe

Filesize
188KB

MD5
44dc0b75a9993b5ceba722437f13aad2

SHA1
601c821592bc7e76bb3cf7eb20ddf66d6241a70f

SHA256
4699a52705e1fee0ae27e9e8a3a224ad4adebe4fe9da799f7ac61efeb00b2db6

SHA512
af52221ca3f971b57b5459128a4ba7719b108b85dc9ccebab9c392deb0c9c8fadb33cc7d86b49635b4b26e0d948aa14ded9820890abeb5e505b2d1bc5e66eeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JosU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwES.exe

Filesize
201KB

MD5
af780570cf2b79376c801ed385017338

SHA1
355639fbc48f3bd3fa86c86d2f65d63cc2e51da3

SHA256
ad0dc38a73171f756a5cfbd4686ca2bca1f44096506542e700d0c51cd34328aa

SHA512
fc3549b1dab12641c96f4f9d970c4988d2669363a622afeccfaabd80556289fb832a5b22e958457121366a9415d77c32e9b15cf46b6b8597fc4b39643e0c55db

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUYq.exe

Filesize
201KB

MD5
52b4408225cfc64658a3eda72c1722d1

SHA1
d05a1fa52abdd396cabf808cdf18e81a48e49e84

SHA256
a452b889f5d1f492f9b8a18da147602dcd06d705fc0c4c56959b961a8456a27c

SHA512
cb75ce8e38425df69331f98c8583835993664123982956fcb3834a49b77b7db8c3c5af4886ddc72147a8aa3749a67a737360c026b6df977e01c1e75cafba56f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQYu.exe

Filesize
351KB

MD5
d0baaf99b7ea8acab641afa420a8cb54

SHA1
fe2b561182b585adc03a126f5faa9eef3b03aec7

SHA256
1c238a7471c0268d3f74313fda523ab0dc1c8c4f26d32a44c167ad4c1e140b35

SHA512
a4520b971d323c0f398e535eaf52be9090831f5c8c72eecd75a9578de1b5eff493dffbe4411227efd41b43be50af2bf4668821696f8f24b9d356521079109ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQwQ.exe

Filesize
206KB

MD5
d4c060f24e65f32f6662a702cafad9c7

SHA1
0536cf89d423c50921a1713212f10b2e54fd91f1

SHA256
83f34a00fc01be639a1664d4ecb1209dc181407b0ac47bf9dab16c34c550b7c6

SHA512
5829aa661cc7fdfd035f68e38fce20cb76e94a1c683b6836e44d9a7509b368117bc01be56999c32912ce90a2be3942bedc0160a34af5a272736b269377524229

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWYMQggY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAUO.exe

Filesize
639KB

MD5
32634e30cae4a1093a890287dcde08d1

SHA1
48d2b1405da47f869e8319f631c094cca00785a6

SHA256
968bcc1af49fcbbfc2d016e01a8121036ef4a5f8697e21bbc383e6c4e1f77105

SHA512
8999c3258e96f799fc38095cbe38d0f1d453c8fefbec4e04d9d4377586896d56d11166fe5333f16c4b8381d56077d404b8ec02528a4a5b3618de8f489e23ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIIO.exe

Filesize
208KB

MD5
09d9dab630e80057549395f73be4782a

SHA1
db1a184dd043eef753ba0488ba727b8b160e9cc1

SHA256
fb306042a11faf55fc3d3c3de7af8a57620ec799f48c71795815a4026b7843a3

SHA512
dde1eba77b39552fb6f5638cc2101e7a36b79f8caa3f40de644f2c6ee82dee5db346d051d6cdb6182921812ff9323a620af2891d811a17e296497b2681de9566

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIcc.exe

Filesize
568KB

MD5
b50ec6028ecbb6e7b2b94146f553fb1e

SHA1
ec7d3ce6f9ef53fd911c0091d306c6b0ea1b7656

SHA256
91f22eb0a61a33826ed919bb213522e908a8fbf4df7974e9ba67dfe4c6512658

SHA512
91c594ac9d22b4c38fdccf10a6c2824462bf6f3d60e8c92de5b99cde773b9773495176192f1f75decf14752ed62caaac2a82b443f04ba81be86a1db115ba4140

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIwa.exe

Filesize
516KB

MD5
27e4d198d85ffaf8ae25a0af46956421

SHA1
8b17b251a9f95112d362041f4b65ff7e2c0f375b

SHA256
6ff882d6f6fc32f9cab1747ec97dbefb7fdb439613ee1bc51c9bbef70d32dd3e

SHA512
25ad3beeef5a0bdaf48bf23da4e61b21b94895f0b3005f8b3dfc7599296ae43e25e677f92bad465df13c4589cb8fce3dff30ba7606231095069b16f760189656

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkQO.exe

Filesize
429KB

MD5
706436affd892c9c25cbdbe515b62d2a

SHA1
b6971b4183b8e7e00faeb831c8e44694eb428c0f

SHA256
80d36077ab1917fa9c137c6c595685d876522c4154919a5613f85ba47dd7ce87

SHA512
e823322d8617ad19bc7c218056eef4b962f75d3cd5e2af9db4b8b92f579cf81119096f6a6a3fea8a2ef89044742e5ac091ec7ab4d0ff8a1f532723bf9c245057

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwgI.exe

Filesize
1.5MB

MD5
725988736ea43a7f90761faf2fa86b37

SHA1
a926f51ea2aee4c7b2bdd0356ccede1704929db1

SHA256
33578a6d258584dae84788593d46c7e818c11d57394e6bacdc5690a2ea32843b

SHA512
fbcd43285ccc44dd462d2256a07672139e766b0a1d63a9642001142b18496c4b2a035491a8eef57f46c8d39a573ee2ebda7ae070feeedb42d9c4acba5cdfd245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pwse.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgYc.exe

Filesize
182KB

MD5
a1863ad33abf56d89938deef0a24ca9b

SHA1
d262346beacec26d15342907921c07070dae1ba7

SHA256
4d353207590b71d4fc45988ef57f477ad6801388011544581652b06d9ff5bf62

SHA512
bc4388bd58f81208204668b088085ab2af933cc24698cc4b2ff74eabfa27776fe6800319be01dbefdecb8d8ec8286654d7d7c1d85bf72f410e355d89f26e8ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoQW.exe

Filesize
194KB

MD5
6855075565af52d674217faee09a60b9

SHA1
39b57f486bff04d1b53be86894c963f441eb9362

SHA256
3881efa67b9da68f33aa5a00f43b5611e0f8703a622e6b0b844b92ac960411f9

SHA512
946b215169ac79e51d0349bf1f6c2a509235744d1aec972859be337edf26df4e371cbe7319baaa31ec1eadefcde1b4a35a1591622693b8f5575a2b19ba384f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsMm.exe

Filesize
194KB

MD5
f1ff279a5c0d126bcf0a4fc7f0088116

SHA1
e5c47fc7969c707c3175e0698b00f946deef4efe

SHA256
f446c4030d9abc6fb954f066ac29b1b51a02cca0b5ff10b639fbaff3de053dae

SHA512
6d0d96763d287d6e760760d86a88304392825a214c5e4231ea490107533290d1c735cabeea296dd971df3ea078d49d5a0370aa43810c8965db8d0bdfef249609

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMY.exe

Filesize
321KB

MD5
c911fd91286c5ae6d74c4aeba41153e5

SHA1
3421b70b872787337acd1981f158a0feccd6f911

SHA256
aa3656f68f8d242741910a23538247fea9a9e585e8fb2c41910904719a952b56

SHA512
2eb238dca377e55aba01c2dc7bce7e0e39a58bbf0fd33fd5abc8d007c4496c0056a3c2e6c38a6998cbea460ae168896805273e909846156cc06b2ae7d6cc25a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAos.exe

Filesize
198KB

MD5
676187d92272a16b78b319410ab3c687

SHA1
c3dedebd4784da062c9bcd1317aa560e2567015f

SHA256
74f5ae1f31c8d8c5bd156e85f2d3954b65349a1901aff262399c01d38d7f7d16

SHA512
af1e375d0ccfa5008522fde71a3042b4bc33753f51737209a2250df5e6ed27ec6ce5b3da4474d660ce5e377efbe65cabef3f59d684a8192fd0b37d5348e58460

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQke.exe

Filesize
292KB

MD5
d35a805ef698f2d6298b3bd9ab78f836

SHA1
d3c7cf5372e156add1038941e4a6dfc899f882d9

SHA256
fd35139742573fece59e84c54d5169c3f9d1165ffb2a040eaae5a35a583b8212

SHA512
414a420febb09629de9e822c5c86b015891d91bdcc63676126f15741087eb037a943ce6b60a06e62aa4dcaae2474f625fe585f622481b12c45cfd052d75a40b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkIm.exe

Filesize
627KB

MD5
042c6932a27f0c678a6db4afd81c4bfc

SHA1
c06c886326ecdf0f20d5a87595b5329afe72c416

SHA256
5b2f40ae2419d451f609f5596fce676a4ca9536f526feedb218ecbe709897559

SHA512
e55141062e2ba4bed03d680162255d3716d73ca13449a5100f504da84fd25f0cb51e1819b829663806606997e2fa8339812abd497eab5b8e09d54eb7180cc830

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsMe.exe

Filesize
203KB

MD5
f7810bdd2c963a0945532b3a9f2ca4c1

SHA1
fd8f1cd5aca16721695e4f2d595134e2fbe3326e

SHA256
73099b359323591dabbd592359e43bd01ab9500704e8384339a08239a6e1a3ba

SHA512
2f3237ca4da9e93a1118380617177b7c2a2b14f3ad71f0ff97e61fd13d5a55e14ea9b754be10c3448f495ce48881da0163c2e40108655468d2dd1c0ab50e941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RscI.exe

Filesize
185KB

MD5
7f1ad6265c7ae8520483db0e8bb576b6

SHA1
c9ecb79650cf2d8303088d8a508922893087fb3e

SHA256
d515c798d33544e56bbd84ac71ec472bef3ddfbdfb400ae109f3d48681e2000e

SHA512
9fdad34d720fc3fc600f8db8f44d51eb5982de2b2bdfc1ee201d153ce1c8e89461874f02f00a6192f6572a3ad0a047830167ac787e09f5979b7f5f380d993ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQs.exe

Filesize
189KB

MD5
49d3b039b3c53d0966e7ff928f5a4a0b

SHA1
71734bbd883fc8cc7db7b1f73ca1a0642fbdbba9

SHA256
05800d3e7d324129636b269c4737d7f6909fdaeb5067095dc8325ee534b2f3c8

SHA512
cc2074d2953faa6d612c95c42c594b11bb73656527d4ccb193b1e6fa071db0b1dd961726f7e843a4449f92450e9cf9eaba80fc60142eb54a3394119119378740

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAki.exe

Filesize
202KB

MD5
5325c3aca5f56f1f50a82391d13973d2

SHA1
845b0a10b7613c6e65605c0f4093d6ec25f68b8d

SHA256
c604006c2d9474fb1e9ae76c16acaf7d3e5880647601a435ca2656d7a9fbe833

SHA512
c16d07e2eb196deffd23b343ed3506433de24e232e5cf5ede51dacefee294d43afa25380194182a33190765eb30aa1cd901c3816cb05a86a30fb95f758fc11ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYQI.exe

Filesize
189KB

MD5
6859338caefa689593b18ca81520ef28

SHA1
5932007647f4737671e62c83dbf4dc21bf4eee9a

SHA256
995d3fcb3bd5d3f6a75310c3c5fefb84c703424c24e127edcc8c2bd47eb0a6bf

SHA512
173afe8fd1a13b01cfdc14253391b2c51706c4e89da674b1fe94ff4e14dccaa2c5c17af0796ce32eec09fe9f4f4aeefc9e2407a712c60074894e17dc3a823725

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAAg.exe

Filesize
366KB

MD5
e7b2cb8ca7278861a212796c75b3d867

SHA1
c0670bf6c87effa56ae525d8225bf76fb8836356

SHA256
51646b3576601767440399aade38e49435bd79972310c59383296f45612bf72f

SHA512
5e370ed906b1729122df1e04cdccc25ea153bb6e77fd6761c5aa255c92c398f06a0c4bb1d2d9876609004300a61fad39547480183e077edad208fdbc32facd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAgE.exe

Filesize
477KB

MD5
f29d2ea5882bc2f2f966e1add996c7b2

SHA1
059199145188a78e36ea16d3b17bca1b7a301651

SHA256
e9dc3f35e7f909e23c8e14016e3ba4a0d1cb4cb6abdfe8325bc5183985411de5

SHA512
e30fdbb252f550dd4db42e2f12ac6680c8c06e3a94f8567c9b7cfa3be35aa13712f5a9a94fcced24b929ef68c508c35d3d7e0416e479c805b89ab20ca3c8aff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUskAgEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUskAgEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEcc.exe

Filesize
187KB

MD5
eacba77406406d889ed1d57414cf1d3a

SHA1
b5098b06a6e151246a6acd3978e0aefa2b449e2b

SHA256
5c9e68d362e394357d2357462bf76fb20ea9b9d20ba1ac29a8bf648c33bb0d75

SHA512
3aaf0ba2555172144d49bd12d79cb81e3aa84e8234a157a4e6f529cfe87a6ba28aaefd8bc4efcc40896954185d67eb5ceac3c546a238897488fa6c6ac87a5430

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAko.exe

Filesize
206KB

MD5
e41945110f0a5f889193a64fa82e7803

SHA1
913484349b0cdfaac54fc3e88206041ede64e1fe

SHA256
33536a3a8de2b16478e3659106881ee67054a3fc0c90f7749d9c4ba9163c1055

SHA512
25880a2a45e11b81357cb1047a88f0404505483cbf570856922274c48193252df466f39646dfc5d658ea8bd837342b7f2c05ab62c664593051d72c0df9c1fc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYy.exe

Filesize
657KB

MD5
c307586ef016a58ec049c2ff85291e67

SHA1
ed8f8fd1887862fbf6ccaaf1891c9a440fb3a39c

SHA256
95cf0005bb482014d986a5e82a53771a5a7d91c37dc8ab34f21e80d857775f8d

SHA512
e63a0c019ea3d1374a27beeb0724a1e625074892f80c6a2b308ea9824d3c358df6d0f00c7ffe0146732ec5a07f66c47482a67c703e559e2d71e1bd73f4dc968d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgAK.exe

Filesize
188KB

MD5
3545b1d0449a63ff446d460fd8501bf1

SHA1
116edc06e9a7a2bc366fa7eb0ce96295e1dfd278

SHA256
ee80c6697a5ff2b15147ecaabd4049402d03077b40bc7e2c107f2b5303df9394

SHA512
46b7ca429d0d4ad0d20caf4ed0330e10045a3f74422e882079c870e34c32ff25cd92e4bc259f6b21ab91346395c105c86f142a126973ee4500ab8e882426a4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygck.exe

Filesize
191KB

MD5
ad013cdfa66a64e282d55e7d68af447f

SHA1
4c8d731632871f30bd872b4c2e8eea87fabdb73b

SHA256
f9ec0c8c1cbf2349662b275345bd2ce03a810b98a7ff47f9f3f36d0f5e9f52e2

SHA512
5862056c6b02445dbc85e2afca0e2acb38dd1e6687e7aba85b6455fcea5af741bd732240262e802520e9bcaded8f3a038206dc7b3eb812da5733b7d06764df52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMki.exe

Filesize
227KB

MD5
8aacad5f57a2b3a82576f5b6d88e2874

SHA1
df01d5e50ceea323112b836453a2be3587f410f8

SHA256
114d13e15e447739a29eb6cf692cb9e921e43fa46b7d75d3936269dd1d3f048f

SHA512
e1c255830aa3b6f596345c79a5cb54dc20d1f2269d3eed2d14f1e227a2ed492baf8025198772c2e226018a0ba399d59bd1b502b4bfd6e273eff027a48ed761e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsAM.exe

Filesize
200KB

MD5
6b64512028164b8f410a0059e4594eae

SHA1
a1b28061df61299c05af28f24de95e1ffb7f34b8

SHA256
39eac709edac2a75bd5bc833bd20929161ca74a81de5f1db8cb3a194cb82f8d4

SHA512
076c7a7200dc8cde52d646b4ccdb8e0f9d8ebb3a54f8f461a5d71182a46e7fa3e3073bbf948868ca53db1713d1dc60171061b53fac29885457275040c55375bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwEA.exe

Filesize
188KB

MD5
cfd0e79ab233d30c41cd0e84d0235920

SHA1
ee3acf45809c83d3fb274149b2bc3e4f03016417

SHA256
faa10d48cc458118ed18d62c75e21cff3de6f1aa4b04385da92a62c057eaea9b

SHA512
699962a2fc131185bb55c7a810cf2d9632c19f66180651555671a857a0a1a5c46c677a60209d089883ef76ea125da21863e3ad89944a709d69b32dfb6f8abb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAIkkMUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWwYIoUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYsW.exe

Filesize
194KB

MD5
a1aba41b5a46957b9a740cb22b6cfd88

SHA1
642a6c93d74492623e1bcc110c990463ab4f42ee

SHA256
f494284cca1cc16aa4dabacae3f753a436a9995c8a7083a785759a7bee47cde1

SHA512
37a384059a5b7dbdbbca4623f4d65a97561b39414d72476f995d4158555ced5dfa2f0715f1a3060ec1223d3a0ea4260d0f4182b8b24bb6cab73977c18ad9ad15

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMIm.exe

Filesize
199KB

MD5
6ab77446325051feb0151d0816a5cc6f

SHA1
f62cc79d5b9a7ee4e1aa81dac2098e7f505adc30

SHA256
b8a39b7e628082852c15143aa8d5c5a8d434d2f34df14ba42b1798d72dbad89d

SHA512
da6f1b289cfaf3ee7e038d71cd8ae8e763454a70516553ca1a3ccc650385450c03b5530c7ef5c7d126fea9fed1fce02a84a666f8d182816e563a025688a6c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYgy.exe

Filesize
196KB

MD5
e6aed364ca0884219ff2ad916e45d6c7

SHA1
1f07582d8af51a9f760d90cfe1345e650d52d011

SHA256
19077378ea1886cc40fb0481e49137cbc1960c9a62abcb286f9f373005c75d0c

SHA512
2bb0f56249d1b6f22c12cc90db69609c7c7b57ed4aa913d6a2554d141bf91ccc61a0f1faabbcd5293080e42a00365d7618d433c94132beb86f83bc0477ac34d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcUK.exe

Filesize
786KB

MD5
386c3062cd4e64a4e75d8d982f5b084b

SHA1
ca975c3b52865129100ae3a7bc7f66a5f412a45a

SHA256
b40b90c08463300e76b5b8fad1fa6dbab420e3272bed55257161e2faf46f7319

SHA512
df0352d2b8b4d8055672ea374556826e9a60a6c6f6ab846405b2b32968b815b7207db68f6cea1a68a4c2e35bdb35129fce822d25c111583e76f3944463f7e654

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgwm.exe

Filesize
188KB

MD5
c15b200a35a01b07deed7481a135b2b4

SHA1
0a130812d2e199ad3009be726b43b3c2438e75f9

SHA256
56c6355e4648b96629a5d35743032202979535d78f055c6c76521cb9c2e9ef19

SHA512
0e9cc609d24b4916bd8f9d0041844d5c43dfa4eb18ac09c87f9b74d5e13fde2201e2513135a8a46bdd2a17a67d91bde7c0660e58bcde89a1428cb200ad85cbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\busAQQkI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYIYQUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMco.exe

Filesize
186KB

MD5
cb97c254cb062f4201e69c0d6d085e38

SHA1
46f50d4fad912777f0f9783c48d8e7222473101f

SHA256
9bf966fc12b7d61cccd4e954e8d6d60e542a51ed452953eb153cc3db6a3b36df

SHA512
3594e1d29f9f097c8d716096423d16dfd15c48775d5dbd46c179678ca92f7fc7d6c5acfa3c7a94b65a66133346b333c138330ca249edb641b623dbdf1d70a21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwYQ.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYUswssc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgMm.exe

Filesize
420KB

MD5
d06961a97da89f2f4ca25e8963a2304c

SHA1
906f6aac7a2110ec76f21097fccf2c4aa8b8370d

SHA256
9d1f1de0ef292b31b3bcd470ee01b682af91da4fc24d33516bca025d177a8e92

SHA512
17fa1ffa666553d5696da5a8b456d10bee71fd8bfd31c3310613be8c58f6c459b45ff65f4765bc7ba21330d680f5bf06bde6d7d2aae29829d5a887e0780aff40

Download Submit
C:\Users\Admin\AppData\Local\Temp\digEgkEk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwMK.exe

Filesize
585KB

MD5
0d0b800c32ed41fa3729fc18ef2b84b5

SHA1
7d3ed61723ec6a06296087c8ce82a901725504e7

SHA256
844b7113d6ca57bc11b7cc2e42391f6a741add6dd80ef2282158bb3405afd4ab

SHA512
2cc085f17f32ca01decf9623643c5d8cde4adad1fdd5dcaec5a1c3124ab27408e9c6ba5c7fa06cb65ad7bbae7427b830085c519bd0327ccdf067a5ce44b8e45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecEG.exe

Filesize
198KB

MD5
cfbfbd3e188c9e37d79a0f799c0d0ed4

SHA1
496723139366eebcd74f0b1be839c388f5ad84ca

SHA256
171b4bcdb27ac4279dd26371b7bfabd9c9167410637a17061efbb1ead6d8f9c2

SHA512
afe43cb3de15f97c60a42e001c7a7e37b1846ab21cb56a532de677c1010f56e6027afb8058f8d29e8454235891e1142959e9d8fc49cd1fc742ef6c697b006964

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQog.exe

Filesize
225KB

MD5
a422acc59a868974943c8c391850f7c7

SHA1
196a4fb2cabb2a6f04a85061054d2eb705d48681

SHA256
14b38f08941f326ab87ac0eb27b3632a929c656fa7b6c915ee1809c614005105

SHA512
87e57b5bb914a00a1d136e58ce2fc7d8029136df501a4ebf6e529933703f005df732dc333f8bbde2200dd2ab9c2a1483bd42e94ea557dfcc7b4c929ec912233b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUc.exe

Filesize
314KB

MD5
aea9608053fb81670c3b1f9b14cf22f6

SHA1
045704f4f259b24edab8bcff33372a7a56f313c6

SHA256
9c7fd52e0803b99aba1ffa039a80830d52527f9286c0d2d4a8603f755aaa915b

SHA512
2001ea01dfb56cd6014d93212afbc98eefd33d749e1bd0ffe5df9c039c72cbbf7d9a1e878bdac560df2b0d4c936f151bee3e180ec6e3f6b544ab561b6c8dc0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwUE.exe

Filesize
312KB

MD5
0bbd6703c83197e4188313b9d3fb5b96

SHA1
06af65c4b048c26fa85d4e6ff3690b6f1c036c94

SHA256
d0bbfd0bf6f85092dbcd1b5ff9eb8454e0f372d9002bdeb2af3cd4f1c2c0e279

SHA512
7114a1e2b4724176f67fde2f373c4f7d0a97cae9b10bbdcf6a1e8a559edf2f9634045fd6372056cef279619e65561044a266480d95146793ed36d1ff67453699

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoO.exe

Filesize
225KB

MD5
022973741a65bba054ee2f9032cb55cc

SHA1
86e83b802373012dd0c05fc496e46306bc9a178e

SHA256
87c9edc8ce5fbc95a41c15739e020ac0949572302a1052c170570b07949c8bab

SHA512
aa9f5cbff2485def8da0af6c69aa993e6858d3c1883c87fbce7776323132a13062a7264de90771bbb3e4fd73c0dfc07d89ecc023ef913ca9b3dc1779d0185d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIIE.exe

Filesize
205KB

MD5
5242509c405a64d2abf491de3147043d

SHA1
b37e8c61e06d81ff4fc108e30ac77c8150b6bc32

SHA256
121ddb47c441e7f8e9430c66945daffa94c4932059f5b32b6d5706a5439c3cb5

SHA512
094861b35b349592e187701f439d27fcae60b2c1c05a910cd015797f3395ff9cf58d187eadd3b388645a70d471f2fff0ae1005d1d3d59f8b29945f4a89e64931

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIsI.exe

Filesize
423KB

MD5
0bd846e345b2eee0142f96b8e53db1a4

SHA1
9c4b9793ccf822ea979b3302c12c474a5d0174b4

SHA256
a3005c31ee4582a2e018430c090090db44f8d9d3b7aa16c2031db26effe746e0

SHA512
9808d2d8de3915be0f0d3bcb56c0a2861ffe2030228b7a6919148a1059843aa76bf9c0e18f881f24cebcef1539d8a124a95af636cddfc33e6fa82e2adfab85e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIsQwkAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEkK.exe

Filesize
410KB

MD5
243675e96c7e1a93ea6fccda413a7af2

SHA1
8f7d7a8a7b1cefd4c8a2b7d3d6fb87d85deb3af7

SHA256
c35914f33a79fe06afb026c2dd3b95fa6a4b215c29c453cf16f643e29e08f95a

SHA512
f55409d2ac2e178d8e413e52e515fc181cccd1274ed21d05282ef5986895a048354af1f68c1f920172b0526d4cdb74b17e0a8dba736aa0c0befcf640f4fe64a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIEg.exe

Filesize
201KB

MD5
bbac44e047152babd32508cd6a290caf

SHA1
e12197370a8961ff8b91831c1bdfecf18a4e3613

SHA256
f935e7e30579e7f11ca10552999b42f7355ce79540aef43cf3f2167b62467a86

SHA512
93c31b54e7ae919343218a6f9e6a2900df3b4afadbd04323a67e0941d6c39cdc7f9bcd9dcc19b46dc20def21bf155cee5ce3efe69b09688df4c0a136bd179dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMO.exe

Filesize
187KB

MD5
37b0549cd57e5824a162a67d337cf3de

SHA1
4b8b018a84a0da194a6b0a1494f414229f89e315

SHA256
74ae858fd4545fe27320977a5ef44def03e0b03173e23d3c8f33ad633f1cfc17

SHA512
8453c8fd7cbc9fd37604191980313220a5c27a1b5ee9a322d2f1a64acc9fb92f3ab4282d03784cc02e4cc7c06d1671c184d2bce70fd929d70cb44a19722f097b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgwwEsAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIEM.exe

Filesize
190KB

MD5
36d0334b449b7cd729c2af6efcedd9bb

SHA1
e52f15e2b9c8b5a11c68515ebb1d5c0b308047a4

SHA256
dde827fc59668e8693a3defb066bef09fc8f9aee0ff3bd460c1d06efe15ef15b

SHA512
3c92168fa9dedc848efa192b25ea962e6c5191cee9471ffc4878a5d951c244caeabb207aef4b6f29658ff98098870dcebeabf8a48dd53b83e4846e004a6055e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIUs.exe

Filesize
340KB

MD5
e4150ad504a891a3e403288e9b6837d2

SHA1
8a61395754c8e219fd258132162a506e7dd9c6ef

SHA256
0b18d854a2e9454668becb9adfa868ac61ccc13af64cfe1e6c2c4299cfa0c6d3

SHA512
21a7a9255430d64f7285e07d8dbb60348326c398c800e073c71503d4b1eda884a3dc5eb61a1c50442921974f8cad976cf8152275c765c6882a1ed29d2a674d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQsQcAkA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgcgoskY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwscgwUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQEM.exe

Filesize
5.9MB

MD5
d08107e44591a7862ff1c10d3cb8fdaf

SHA1
618ca02d275e58cf214a42733c4293082b15ab65

SHA256
543d01f80b9f07d86b12b2cfd9649f9031f8f753efdf9c219ef3290838d2d905

SHA512
17c729d08b2f331ddb236baf84fd0a8d8c8947db2694909ada73607159be9e4eb7c66699ee444bf115e26e19d63d7f609c7c0e457344b6cb9b643d95fa7a2899

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEEo.exe

Filesize
209KB

MD5
990e5a0288193c2b7413924067871768

SHA1
dd84f9499d1317a04679207f1e691b34bd1b5906

SHA256
18c37022e8799c3df28976fa674f210d48ab5e2c5d002970fd23cdf9778961e7

SHA512
413443c9cc6ceb510b52af0d48e9820579b3731660cd9db1abc8f2eee3580db7fc21b83c8b99bb05fe17d90c3d6a19cc60b10770b5319f613cd8d4df71083069

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIAI.exe

Filesize
376KB

MD5
711bb8bc60017b9aeac9372cc5c2b340

SHA1
ae62336520df476d34cb5afadf82c40e62eb8153

SHA256
1de12ac8b1ebbcfb12b543b01ad2a51bc3315322bed638e276d6f5bc940efbf9

SHA512
a578e64843e7ff013beb8e545207eb8ecc1b8b93bac7b84d0789f23135d8e7dfb9a2c8b8ee517b5a0eca140832a6d0430b0aebf0527f390e8cdf3f93181cc1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIwG.exe

Filesize
208KB

MD5
4e95c13f9800742e6882b98f5f6fe5b9

SHA1
2ab87c0c5ed2f61614d75194f5a21f82d11457b8

SHA256
66484b2cc98aca844c857bdd47b420610535da4d3c0cdeb027f477e9504f4471

SHA512
bd609dea65def01569efec4569921c9390170b738bace0f9f248f9ff6bc8602680cd9ac6d0d6e315d2833a3aed740f0031b19ae91f0203a082993cd273c9d4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKcMQAEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQkK.exe

Filesize
194KB

MD5
98b5e95ce50a88bdb42f85c4efcf74de

SHA1
ed91157897fbd69bdb09408d720746329d2a7a06

SHA256
95930fc4022496f2a6e30b432790198967427b45c51e655fa9e50cf29d177d7e

SHA512
7dc81fb9d6cf433c6884c9815df248a50e1d1fd0413d7fbd9e9d87a26561cabbc4691d3afe1d3bdc322b6c0dd5d99b885ee2edb05b601e4bfc9fd42fda20ddfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkUs.exe

Filesize
838KB

MD5
5285442c3e469cf6d42ba88cc7317754

SHA1
91600508973b4f3a1994d6d7c53dc088ce6978b9

SHA256
57dc3cef535529944801c7046cbec56e0af9e517d01429dd578611120ce3c08f

SHA512
9b0723fa8ddd6852324e4d145034e62a0be0c9f2c35186ce6f822d1ad0f1f027e9b25a2c7cb8541ce03417d9841b16a2436abecc0a5fd23b93a4773dfd9db161

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUC.exe

Filesize
1.1MB

MD5
6fa40d41ed147cbaf9895e9b04c77c8c

SHA1
3936a97930402200ce26e3af133a05da4f00357c

SHA256
1f1dd78cb6ec847695137a70a47746e408cdf483413dcceee114db503a105831

SHA512
76b8ad59e4ad5aef27698a76fd14bd8d3abb189f07cb77944de6aa23b9f5b8a39e6f6a02bde064ea4e3e3c22b0902dd5e25bad265779ed59a341ea5931c6c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgI.exe

Filesize
224KB

MD5
909288992f210ada48e9af4c6f024061

SHA1
f9c2104dcc50ee88c257621aa41ae4b3fe2a5a4f

SHA256
2cc5edd7c8ee88e428ca2fd0e02f64c10b2b715051e77282d525c150ec0b75db

SHA512
1af066d53c015f227a9ec6de853f5922c335ada9175f23dec3738641b6510c4a88bff90dd9a13a0e2371c71ee833987c1469a312fa77279cfd686494af3a4b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMW.exe

Filesize
197KB

MD5
3a600569e5bc966ea01d60e26f67a2d6

SHA1
2f02a1c8efc2753f299b8567debf80b8dc2a35a4

SHA256
b8bd5aa9419684693fc03a3351ab56e45c6498adfc9d405ecb006935807ae400

SHA512
51a5b5a281ee2b54ab8cf118cf25ac56e0477e47c2bbd3454b332c2a938c2cbc462c79bd0803e2f33653eeac1580944a8dd0464f0ed7838ce6fa1d19ff3859ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUEU.exe

Filesize
213KB

MD5
4900d9896f0600087d57e74ffed73ec6

SHA1
ce0e5a584afaa5341978f9a8e3a4f3019fecf59d

SHA256
ba8fac04ef605d9170fb69f97ed0db1d81a3a38b59eb77ddb5b4be3a710bbb04

SHA512
fb13ae606633bd6e8f1d554fdffb1bf02a89a5cf95b2d7b26762708d62ce6414667af4b60137e519ff5e7b6f42ebb9ee414eea3130aa2d4e8129b0487437af0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUs.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYUQ.exe

Filesize
234KB

MD5
9d267989d63268b5e959bd52345e22ba

SHA1
226c60249162ffd2849afa1aedc5a71f0bbeac65

SHA256
7708c4d8e2dce3b963a0f931cc9e001ddd278366c660c69e9c9c72b85c08975f

SHA512
41ced882cc3771c1caf33f6e206d801e242673e74eb8eada4a7dcb475d2310a301417d4303b2ef676776b6e58f2ac508a5d7a0ce71e54b1e940772513fd1ee8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkAUMcMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssQ.exe

Filesize
184KB

MD5
d3ed8031dfbe86fa0b9cec9ccc9f4839

SHA1
36619ba8670879f051a368c5b51df18eac4ef8d5

SHA256
fd0b44900c44acb24f4a84994ac7130f65ecbe3aff61e885ee9c0358a6dc068f

SHA512
9b74b6394bea2bf37adb4b87e86c10c5739d83f95faaa730670389dd4f35199fc81a172c1e149ea5a32a80f21accedeea918febf5167e4ef290dc28b91647ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAkY.exe

Filesize
185KB

MD5
ba100635ffb4f5f85c35bd00dbdb9215

SHA1
23cf006eec9c6283b0500e9dd622b8bad73486d5

SHA256
bc9e568e97964272fe9dfc7968cf5ed17cae97f07c43cf2dd89f8033616d61c0

SHA512
8313357ef0ae581691216a6b63d23d8acbdc84cce8fb9f9795613f289ea02697aacfa317c05a5f2b0e72c5d93918b1366f9020abcab431df00c9fea0367f077d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEgW.exe

Filesize
1.8MB

MD5
24063c636cb47788142482279498c4bd

SHA1
04fd82cad4f36692cd5d365fa9da651b07a510c6

SHA256
78634f5d3072393bd37a2e9fd4bc7768c9bc52942e52a9eb945cb60e691bfd00

SHA512
1231262fadb90d123afeba29268a63ba9c3834cc9acf9650ddc7e99e4d2b68ddc1bba2f7f874bfb62bc864794abf4913b8e33611bbc0b250a812d319b5ecd171

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgQ.exe

Filesize
385KB

MD5
f73052859aae7fe791e5099f971bb616

SHA1
8f7919c6a874d07377e0cde0fd2ffce216e19b0e

SHA256
d06f910a979fc2da9f8aeb55519e023e46676a79504d85b0b2b9f1e0adb5882a

SHA512
1b21d5b3946761928873587e241792ce543a83d79e7602d87389bad604977a0134ec14cd8a9a0f747294bb2d957eb629d58f6613219784989a4f6f1f4669ce5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgYu.exe

Filesize
190KB

MD5
169e9513e3ed6f6ced7f5d73101457e5

SHA1
9d6ee7fc7eb19b7c3676dbbbdb172bec0be86311

SHA256
3697ea4abdda10900d549cb4467974962f7aa44347aa8833a90a3ab6192e376c

SHA512
b10b9a11828803bd4aaa76550f9cce344e60a19da2bb0341845a7fb760f7ca88b7d2fab97fc783c0d3ebebb5d811fad4cb6ef223879fa918ff3a317f2a33af75

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgcs.exe

Filesize
191KB

MD5
873c19bd4998dedde9a652037a1e033e

SHA1
69104329d46bffa015a3fdaaa33c3ca8b0a8cf05

SHA256
6ecc89518181043839cd479c711b2f6d1dd52002b4bc2226d47f20d4afafa453

SHA512
676d89ffa52767fa3eb19a413bcefdaebe1dc0d98801a3f1d36e02ef32e48caa9d8de7578028a78d5eba2fe202fa85da32c5a598c89bbf06f11ae3ed897ed5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\qooM.exe

Filesize
221KB

MD5
a2271c37cd8233f7edf8699015aebc08

SHA1
4dae622b2fd017283b9210d2499445b270e96f2b

SHA256
e270e6515605bc2a8a3d08e97722e8dd8c20eff5a4324228946fd91298498de0

SHA512
89e8c58bdd1e5a9c4bc75478e5662ebd0eaca68defc1b48686da018fbb8d1055d7ba96c774bd11586652956af60d42333432c10676abcbcf6bf496b44484328e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQMUYsos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgca.exe

Filesize
200KB

MD5
b70c50489f56dd53899f16e3d66f358d

SHA1
9a9d81d1dc560fa4ecda15ffd31923a272614218

SHA256
98b5f78eb52c24abebc8540c7cceefbd7fbc88c296f3b733341c836a42a0f47e

SHA512
f9a33baef12deae2e09c880c578ccc65734125cd70f147f1714606b9bd07bab243109c57c99e4b0e60c49ac1862a4008ec48e9950fafa61a6f44d5438f273db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rswC.exe

Filesize
190KB

MD5
84567bfbd5b1bcc0f5be76e870acd42c

SHA1
d014af30080ccca75b701a46afc56af6e082027e

SHA256
30245acefa71cca3aec957eaa339e045054322e8a8805e614e097faca9799aa1

SHA512
5de65a3ef057cdec190d01f6490fd0ff1e76a2b63bb31bceba4e920d2f9c04497f0eadc11f9ae3ae7ef8d5c8cc09a96367588f2e1beeba71b02f7092f5a5e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAwu.exe

Filesize
192KB

MD5
4b62d1bd319a4552d67833fb58b5f11a

SHA1
45488e5abef59b705e1b1e467c64f9dd5a148786

SHA256
17c9ef539555e472ae8ee2849de0ee3048a8ca0ceedf6f7bc2482fcaaa00536e

SHA512
69dc89c9a79ebefd1a88775dd0064018c33dd12e25cd365cd0371958835c63519eb07a5b6b689c74abc71b7369159c8aaf3822d900d0695912bc5cbdd357dd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYsY.exe

Filesize
207KB

MD5
a1cc1585edeba341214d4806882fa498

SHA1
0b0cc78582b97449b7a4d73c45b281395031f501

SHA256
6e49db2380370d09726fcafcb19da328399344675e592ea00b1c72faafe70c76

SHA512
85c1b7dcfe218a70f4b1cb1cbdeb57239a90190759ffef8019b77655c711a61f192690377d62b94822937b3f5011ac64568bac772b267af95660920b45ebf8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sksU.exe

Filesize
263KB

MD5
8e931a1552560d129d04a1698be151c4

SHA1
119eebc0827aa727ec421a0aa64f5981beb8e318

SHA256
f57e1f927c698451add19d628076428ea4b5b5f7f79e9e0f63086fa9eadc5980

SHA512
12699a5b21bdbca0d7f74a427276ac6456f05d4cb3b19a6c53104423ea0e872f29b5e5d6be98b1e7278f1f627f688fdd649b81a331ded20c8accaf5e74b41db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYIC.exe

Filesize
5.2MB

MD5
dd2468813e6a488bed742523d080aa12

SHA1
670db5da63804fb2436b6da1288bfb2e9bb79b86

SHA256
ac690d09fd24680902fd5309d9c5cdd5a7f28a3112d457968c49dab76c247d17

SHA512
3751879ef05d83af9810aab5ae680e87b1f5b7e37a3752ba2fa941d98dcf2635d40e96016e30ee54a349924fb08589bb68cb2ba800ab81fa20b5367ed28c1561

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgEy.exe

Filesize
194KB

MD5
d8c673f27c9f18407d61f28c83b15b12

SHA1
340a2bffa23f336cbbe930032fa86308c48c7839

SHA256
07f35031f22061108ff7cf16a77c88feb065d90153325b46079670a3828a3866

SHA512
7a44fa02963a608f5712fb18f7daf5abeae6e1c1443b1379078521e7bf12f2770decbc3d6d1f8e9a72ae50f55e46939bbae47f7e6403d4532ff8442fb65a5cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIoM.exe

Filesize
199KB

MD5
b1d97103ec68df8c5853edea717fa7ef

SHA1
2234f713b9736783f00cc35adfa32ddfa4d8b328

SHA256
2ebc1008e6fe43d6bd7aaedc45b8c4cc2910408076f6e895f08a3931edb6c889

SHA512
228ab7b572c938bee5e23da59cb0451f32a4b2ae9323c01ce7e17371f43fbc4c60572f0bd609a06ad827998f44807eb5495c943cc0a80b957db944466fa7a743

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMEW.exe

Filesize
202KB

MD5
fe6e6cfebd8bdd804f0f1d8c706c1d7b

SHA1
980b41bddbfb8c366b64456ba20c5dd9365c7a05

SHA256
7d2e1b9ad3ac05302b20f5f7878d7064c8a272c5520eed32ef063383f66922b6

SHA512
78eaec52dcdaaee20d0489d35c9e590f442df47ce2f511849027471d1c68438812a5a3739c6b70a4e4e19d665a8063f22d54fd91f4670d3fcc6d554ff406aaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQYMQooo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vogG.exe

Filesize
181KB

MD5
60bf7f3dfb4fb859f85213278ac754f5

SHA1
3ee99a97c2e2b62bc0931793afb3570c928d7167

SHA256
52118f4b46be7ae304a3c64cc8e07c23fe724929bb73966b78225d120b3001c5

SHA512
a112f529f41a0e6419639be4521d4da7536be66524e4e721b3a841f86a4b374f1927ab03890d095903231a0f78df44724092d8c55efd171da290b23d8cf0e141

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMoG.exe

Filesize
448KB

MD5
911eb080b347d37de915aac4df1b1cc9

SHA1
507f416f0aa8363a62e857e49f1ed100da35df75

SHA256
024b47c361f680ee5913e8551f15aaf8e8bab86202956e8a548ad0458760cf21

SHA512
6909aa826002183447294dda032962bbf0d755e295ff4241a5c58e18e25f03ff19a304ceb8a184e65427f18df1c95b654fd64c4ccfca721a219972b431225dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYAu.exe

Filesize
1010KB

MD5
f9bec6c4a5d8a9890ebde1dd3335d8db

SHA1
447e568a4d3dd6dd46709e98383cdb1eaf5a6cde

SHA256
7b2681b9aff2fa4c36006c3797a3c3a5b0fb6a758fdaf52095a25a32bfba3fbc

SHA512
1ba171a7680931c59e6901170011fd274ba9b681ef50b8855500b0706a3e828279843a81e7d71cf3a2ec8e8db36a6abc79787bca002c5cf58514332b5e2a77f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyYEkoQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycIy.exe

Filesize
309KB

MD5
504ad97c140b37de6ba6ae6992f5e33e

SHA1
6bf44f66f5564d36d1b21e559f09b9af0891d983

SHA256
2fe21592273167cb9a4f164b992f4e58fe35e0370802795ff9ba984570746851

SHA512
2610f8bd354fb99876e95cab3b783036639352fe538534d73bcdd7e95e1b8225daecc8de28bdb67d46720253836522ed36ac4c9c745e7b0835e541f2bfccc555

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkoE.exe

Filesize
784KB

MD5
287b07aa5041c48fb2a9526c71992d0e

SHA1
7f8d6040b038cf40654146dff6031fef0999925d

SHA256
c0d65bc705364fc186c4fbd071de2969b2eaf935396c352d605d5a37dcbc5137

SHA512
f7d2aa579b2a6ec56851bdd0bf494e847dff523bcebc99c67e1a756edf82a454b02641b7364aa190801bcb247db144fd1af3c9db4bc2bf551046668d2ca7a01b

Download Submit
C:\Users\Admin\Downloads\JoinNew.png.exe

Filesize
707KB

MD5
58641bc9d91a70fad34a49b1b12f95f7

SHA1
afb865af140d6a3fa55181c4897124f6bf69b19c

SHA256
61f19d123da24cf2163850fd8097c1451d3799c37b4a7ee19e3ca49a964bd255

SHA512
fe62809ae2079d3f235dee598ae1a100048efed9bc14bf97bf88e68fd68962917704e52221ef9c1e965578d67abfd1454d159935d98a132b87a0dce044bf03be

Download Submit
C:\Users\Admin\oqQAAYYw\miogkgAA.exe

Filesize
195KB

MD5
300946090a353ade313d21c89145f54f

SHA1
900cb9874ec1f777b7a05691a9d424299e3e346a

SHA256
e23289eeec333625790f916fa87c995a2a944f9318efdf851c129e17e684af96

SHA512
af4ef996e354c001bfc28644cb5bf8b2869cdb6070bf13d395980dcdf0794e7fb1902a97524027f78c754c0beeb3a420112b68c06b26ab3d56999288b0738525

Download Submit
C:\Users\Admin\oqQAAYYw\miogkgAA.exe

Filesize
195KB

MD5
300946090a353ade313d21c89145f54f

SHA1
900cb9874ec1f777b7a05691a9d424299e3e346a

SHA256
e23289eeec333625790f916fa87c995a2a944f9318efdf851c129e17e684af96

SHA512
af4ef996e354c001bfc28644cb5bf8b2869cdb6070bf13d395980dcdf0794e7fb1902a97524027f78c754c0beeb3a420112b68c06b26ab3d56999288b0738525

Download Submit
C:\Users\Admin\oqQAAYYw\miogkgAA.inf

Filesize
4B

MD5
0995a167eac79e294daea60364e574f9

SHA1
74f59fffb8edc9f862f6c026184148befa7b032f

SHA256
a56b59221bf8cf3c05a49943433deb3010f1811514e0a009613778aaceda1e28

SHA512
91ab3b4c520eb6515d79c15b55d4cb3c607d2e5545f3ca0dd30c183edf71c1cface3ae49b9d1fba026708a63eb992fffd99f9690492238300b312b30ac7656b1

Download Submit
C:\Users\Admin\oqQAAYYw\miogkgAA.inf

Filesize
4B

MD5
ac6321dd0d34ee48f596024090840827

SHA1
b60fea97a7495faf636d80a772f4a4a4fdbf8a4a

SHA256
10bca15f0c8cc9f92801afe8fad35a3bff65996a0baf8df0202a1e1eac062268

SHA512
d1f5ffe0625b27eeea00eb730e8f4bf3bb13d1630b8659b31904be9bfa5973b4cac068e4f38b8601a44a6789ef7c330d4b61676f7753c4db2a4410c6e0e1fc24

Download Submit
C:\Users\Admin\oqQAAYYw\miogkgAA.inf

Filesize
4B

MD5
6c991638cd7aff476142ac0cb12c58d2

SHA1
8f9f48e5e9e170d425201e8319281b54a8bdf741

SHA256
8fc9d07d50e1f4848f782bdb0cf76005c7d086cda5a2cacfcc84b8ab6a758ec0

SHA512
b733ddff031a9d5792c331940c3d359182b006c310f2d53c9f186c9be5cdded5e7ab193c7c50a70f6836677b07473cbc3679f7015ba8939eaf33fb8350042028

Download Submit
C:\Users\Admin\oqQAAYYw\miogkgAA.inf

Filesize
4B

MD5
c0c12e6bbe6795f76c31db56c26fd86f

SHA1
3c1f5ff1443040bc37d920f72445f6163933eeed

SHA256
39c41d5df8fa518c99719657f802e2f6944fb1abea510d4eec14749dadadd3e1

SHA512
757e54c582e62b464a009405542a44c8027d1a1e5a7c54768887ba1303c2f89180b8e834dc26eca25a707d1f62e18f1946ad9d1401efb1a3d77cedfc5f0a552a

Download Submit
memory/456-151-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/864-568-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/864-577-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/916-587-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/916-594-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/976-612-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/976-431-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/976-421-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1064-613-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1192-298-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1332-139-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1332-154-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1348-539-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1556-275-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1640-403-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1640-395-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1660-502-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1660-498-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1840-493-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2080-393-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2140-512-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2320-604-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2320-520-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2340-223-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-420-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2548-187-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2716-174-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2716-456-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2716-448-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2740-351-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2740-336-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2980-164-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3092-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3104-585-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3172-447-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3188-385-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3188-324-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3212-566-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3312-548-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3312-558-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3584-248-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3688-262-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3688-251-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3760-286-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4124-476-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4124-483-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4144-199-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4144-188-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4176-547-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4280-439-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4504-362-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4516-474-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4676-224-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4676-234-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4804-412-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4872-294-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4872-311-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4892-522-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4892-529-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4952-335-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4984-212-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5004-466-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5012-370-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5012-375-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download