71f3b7cc913ba175a709447b8127781dc8b2e34479cec84dd9b32a2ba972d9ae

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4ab2c140478c5exeexeexeex.exe
Size

199KB
MD5

a4ab2c140478c54f3af92cb9c1dfba7a
SHA1

4f77f4908a93202839fd145cfc95aca009d34a1a
SHA256

71f3b7cc913ba175a709447b8127781dc8b2e34479cec84dd9b32a2ba972d9ae
SHA512

5d5e5bd422d921b73ac1c5c98cd17823bb65a0eed9b1031dfe807dd5a451284cd62d91738ba355ca2353b4ae43c240334139c034d6274e4da7c22038896e9bcf
SSDEEP

3072:LUGyiS7dgq2hMeQYwIex/5Es8vEWFwjFKtG8Udq6hlxCo:L9adg/wIe16WJjFQUdthGo

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a4ab2c140478c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a4ab2c140478c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a4ab2c140478c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a4ab2c140478c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a4ab2c140478c5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4ab2c140478c5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
20	552	cmd.exe
23	552	cmd.exe
26	552	cmd.exe
27	552	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	ZwEcAgMM.exe

Executes dropped EXE 2 IoCs

pid	Process
4016	ZwEcAgMM.exe
3388	SCYEwwkQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZwEcAgMM.exe = "C:\\Users\\Admin\\rMEsQYsw\\ZwEcAgMM.exe"	a4ab2c140478c5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCYEwwkQ.exe = "C:\\ProgramData\\AegosYsA\\SCYEwwkQ.exe"	a4ab2c140478c5exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZwEcAgMM.exe = "C:\\Users\\Admin\\rMEsQYsw\\ZwEcAgMM.exe"	ZwEcAgMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCYEwwkQ.exe = "C:\\ProgramData\\AegosYsA\\SCYEwwkQ.exe"	SCYEwwkQ.exe

Checks whether UAC is enabled 1 TTPs 50 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4ab2c140478c5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a4ab2c140478c5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	ZwEcAgMM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1400	reg.exe
2032	reg.exe
2296	reg.exe
3936	reg.exe
4508	reg.exe
4400	reg.exe
2152	reg.exe
4608	reg.exe
4608	reg.exe
1140	reg.exe
464	Process not Found
1320	Process not Found
4812	Process not Found
4600	reg.exe
896	reg.exe
4956	reg.exe
2112	reg.exe
3696	reg.exe
3548	Process not Found
644	Process not Found
1912	Process not Found
1400	reg.exe
4120	reg.exe
5056	reg.exe
3848	reg.exe
2680	reg.exe
780	reg.exe
3288	reg.exe
1496	reg.exe
2872	reg.exe
1244	Process not Found
4472	reg.exe
2324	reg.exe
1028	reg.exe
4864	reg.exe
4752	reg.exe
3964	reg.exe
4984	reg.exe
452	reg.exe
2816	reg.exe
3164	reg.exe
3840	reg.exe
1208	reg.exe
2660	Process not Found
4696	reg.exe
928	reg.exe
3004	reg.exe
4348	reg.exe
2816	reg.exe
516	reg.exe
4028	reg.exe
2884	reg.exe
3864	reg.exe
1908	reg.exe
4620	reg.exe
3356	Process not Found
2156	reg.exe
408	reg.exe
2144	reg.exe
4520	reg.exe
4844	reg.exe
1852	reg.exe
4620	reg.exe
3432	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	a4ab2c140478c5exeexeexeex.exe
2936	a4ab2c140478c5exeexeexeex.exe
2936	a4ab2c140478c5exeexeexeex.exe
2936	a4ab2c140478c5exeexeexeex.exe
3044	a4ab2c140478c5exeexeexeex.exe
3044	a4ab2c140478c5exeexeexeex.exe
3044	a4ab2c140478c5exeexeexeex.exe
3044	a4ab2c140478c5exeexeexeex.exe
4564	a4ab2c140478c5exeexeexeex.exe
4564	a4ab2c140478c5exeexeexeex.exe
4564	a4ab2c140478c5exeexeexeex.exe
4564	a4ab2c140478c5exeexeexeex.exe
3364	a4ab2c140478c5exeexeexeex.exe
3364	a4ab2c140478c5exeexeexeex.exe
3364	a4ab2c140478c5exeexeexeex.exe
3364	a4ab2c140478c5exeexeexeex.exe
4860	a4ab2c140478c5exeexeexeex.exe
4860	a4ab2c140478c5exeexeexeex.exe
4860	a4ab2c140478c5exeexeexeex.exe
4860	a4ab2c140478c5exeexeexeex.exe
4024	a4ab2c140478c5exeexeexeex.exe
4024	a4ab2c140478c5exeexeexeex.exe
4024	a4ab2c140478c5exeexeexeex.exe
4024	a4ab2c140478c5exeexeexeex.exe
1600	a4ab2c140478c5exeexeexeex.exe
1600	a4ab2c140478c5exeexeexeex.exe
1600	a4ab2c140478c5exeexeexeex.exe
1600	a4ab2c140478c5exeexeexeex.exe
4812	a4ab2c140478c5exeexeexeex.exe
4812	a4ab2c140478c5exeexeexeex.exe
4812	a4ab2c140478c5exeexeexeex.exe
4812	a4ab2c140478c5exeexeexeex.exe
2764	a4ab2c140478c5exeexeexeex.exe
2764	a4ab2c140478c5exeexeexeex.exe
2764	a4ab2c140478c5exeexeexeex.exe
2764	a4ab2c140478c5exeexeexeex.exe
4608	a4ab2c140478c5exeexeexeex.exe
4608	a4ab2c140478c5exeexeexeex.exe
4608	a4ab2c140478c5exeexeexeex.exe
4608	a4ab2c140478c5exeexeexeex.exe
1248	a4ab2c140478c5exeexeexeex.exe
1248	a4ab2c140478c5exeexeexeex.exe
1248	a4ab2c140478c5exeexeexeex.exe
1248	a4ab2c140478c5exeexeexeex.exe
524	a4ab2c140478c5exeexeexeex.exe
524	a4ab2c140478c5exeexeexeex.exe
524	a4ab2c140478c5exeexeexeex.exe
524	a4ab2c140478c5exeexeexeex.exe
4684	Conhost.exe
4684	Conhost.exe
4684	Conhost.exe
4684	Conhost.exe
8	a4ab2c140478c5exeexeexeex.exe
8	a4ab2c140478c5exeexeexeex.exe
8	a4ab2c140478c5exeexeexeex.exe
8	a4ab2c140478c5exeexeexeex.exe
1644	a4ab2c140478c5exeexeexeex.exe
1644	a4ab2c140478c5exeexeexeex.exe
1644	a4ab2c140478c5exeexeexeex.exe
1644	a4ab2c140478c5exeexeexeex.exe
3368	Conhost.exe
3368	Conhost.exe
3368	Conhost.exe
3368	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4016	ZwEcAgMM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe
4016	ZwEcAgMM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 4016	2936	a4ab2c140478c5exeexeexeex.exe	84
PID 2936 wrote to memory of 4016	2936	a4ab2c140478c5exeexeexeex.exe	84
PID 2936 wrote to memory of 4016	2936	a4ab2c140478c5exeexeexeex.exe	84
PID 2936 wrote to memory of 3388	2936	a4ab2c140478c5exeexeexeex.exe	85
PID 2936 wrote to memory of 3388	2936	a4ab2c140478c5exeexeexeex.exe	85
PID 2936 wrote to memory of 3388	2936	a4ab2c140478c5exeexeexeex.exe	85
PID 2936 wrote to memory of 3568	2936	a4ab2c140478c5exeexeexeex.exe	86
PID 2936 wrote to memory of 3568	2936	a4ab2c140478c5exeexeexeex.exe	86
PID 2936 wrote to memory of 3568	2936	a4ab2c140478c5exeexeexeex.exe	86
PID 2936 wrote to memory of 1912	2936	a4ab2c140478c5exeexeexeex.exe	91
PID 2936 wrote to memory of 1912	2936	a4ab2c140478c5exeexeexeex.exe	91
PID 2936 wrote to memory of 1912	2936	a4ab2c140478c5exeexeexeex.exe	91
PID 2936 wrote to memory of 3184	2936	a4ab2c140478c5exeexeexeex.exe	90
PID 2936 wrote to memory of 3184	2936	a4ab2c140478c5exeexeexeex.exe	90
PID 2936 wrote to memory of 3184	2936	a4ab2c140478c5exeexeexeex.exe	90
PID 2936 wrote to memory of 3032	2936	a4ab2c140478c5exeexeexeex.exe	89
PID 2936 wrote to memory of 3032	2936	a4ab2c140478c5exeexeexeex.exe	89
PID 2936 wrote to memory of 3032	2936	a4ab2c140478c5exeexeexeex.exe	89
PID 2936 wrote to memory of 4928	2936	a4ab2c140478c5exeexeexeex.exe	88
PID 2936 wrote to memory of 4928	2936	a4ab2c140478c5exeexeexeex.exe	88
PID 2936 wrote to memory of 4928	2936	a4ab2c140478c5exeexeexeex.exe	88
PID 3568 wrote to memory of 3044	3568	cmd.exe	96
PID 3568 wrote to memory of 3044	3568	cmd.exe	96
PID 3568 wrote to memory of 3044	3568	cmd.exe	96
PID 4928 wrote to memory of 4084	4928	cmd.exe	97
PID 4928 wrote to memory of 4084	4928	cmd.exe	97
PID 4928 wrote to memory of 4084	4928	cmd.exe	97
PID 3044 wrote to memory of 640	3044	a4ab2c140478c5exeexeexeex.exe	98
PID 3044 wrote to memory of 640	3044	a4ab2c140478c5exeexeexeex.exe	98
PID 3044 wrote to memory of 640	3044	a4ab2c140478c5exeexeexeex.exe	98
PID 3044 wrote to memory of 4380	3044	a4ab2c140478c5exeexeexeex.exe	100
PID 3044 wrote to memory of 4380	3044	a4ab2c140478c5exeexeexeex.exe	100
PID 3044 wrote to memory of 4380	3044	a4ab2c140478c5exeexeexeex.exe	100
PID 3044 wrote to memory of 3048	3044	a4ab2c140478c5exeexeexeex.exe	107
PID 3044 wrote to memory of 3048	3044	a4ab2c140478c5exeexeexeex.exe	107
PID 3044 wrote to memory of 3048	3044	a4ab2c140478c5exeexeexeex.exe	107
PID 3044 wrote to memory of 1852	3044	a4ab2c140478c5exeexeexeex.exe	102
PID 3044 wrote to memory of 1852	3044	a4ab2c140478c5exeexeexeex.exe	102
PID 3044 wrote to memory of 1852	3044	a4ab2c140478c5exeexeexeex.exe	102
PID 3044 wrote to memory of 4612	3044	a4ab2c140478c5exeexeexeex.exe	101
PID 3044 wrote to memory of 4612	3044	a4ab2c140478c5exeexeexeex.exe	101
PID 3044 wrote to memory of 4612	3044	a4ab2c140478c5exeexeexeex.exe	101
PID 640 wrote to memory of 4564	640	cmd.exe	108
PID 640 wrote to memory of 4564	640	cmd.exe	108
PID 640 wrote to memory of 4564	640	cmd.exe	108
PID 4612 wrote to memory of 3500	4612	cmd.exe	109
PID 4612 wrote to memory of 3500	4612	cmd.exe	109
PID 4612 wrote to memory of 3500	4612	cmd.exe	109
PID 4564 wrote to memory of 2300	4564	a4ab2c140478c5exeexeexeex.exe	110
PID 4564 wrote to memory of 2300	4564	a4ab2c140478c5exeexeexeex.exe	110
PID 4564 wrote to memory of 2300	4564	a4ab2c140478c5exeexeexeex.exe	110
PID 4564 wrote to memory of 4864	4564	a4ab2c140478c5exeexeexeex.exe	112
PID 4564 wrote to memory of 4864	4564	a4ab2c140478c5exeexeexeex.exe	112
PID 4564 wrote to memory of 4864	4564	a4ab2c140478c5exeexeexeex.exe	112
PID 4564 wrote to memory of 3592	4564	a4ab2c140478c5exeexeexeex.exe	113
PID 4564 wrote to memory of 3592	4564	a4ab2c140478c5exeexeexeex.exe	113
PID 4564 wrote to memory of 3592	4564	a4ab2c140478c5exeexeexeex.exe	113
PID 4564 wrote to memory of 1704	4564	a4ab2c140478c5exeexeexeex.exe	114
PID 4564 wrote to memory of 1704	4564	a4ab2c140478c5exeexeexeex.exe	114
PID 4564 wrote to memory of 1704	4564	a4ab2c140478c5exeexeexeex.exe	114
PID 4564 wrote to memory of 1808	4564	a4ab2c140478c5exeexeexeex.exe	115
PID 4564 wrote to memory of 1808	4564	a4ab2c140478c5exeexeexeex.exe	115
PID 4564 wrote to memory of 1808	4564	a4ab2c140478c5exeexeexeex.exe	115
PID 2300 wrote to memory of 3364	2300	cmd.exe	117

System policy modification 1 TTPs 50 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4ab2c140478c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a4ab2c140478c5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\rMEsQYsw\ZwEcAgMM.exe
  "C:\Users\Admin\rMEsQYsw\ZwEcAgMM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4016
- C:\ProgramData\AegosYsA\SCYEwwkQ.exe
  "C:\ProgramData\AegosYsA\SCYEwwkQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        8⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        10⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        12⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        14⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        15⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        16⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        18⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        20⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        22⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        24⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        25⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        26⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        28⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        30⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        31⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        32⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        33⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        34⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        36⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        37⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        38⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        39⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        40⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        41⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        42⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        43⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        44⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        45⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        46⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        47⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        48⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        49⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        50⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        52⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        54⤵
        
        PID:1244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        55⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        56⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        57⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        58⤵
        
        PID:1676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        59⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        60⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        61⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        62⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        63⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        64⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        65⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        66⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        67⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        68⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        69⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        70⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        71⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        72⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        73⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        74⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        75⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        76⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        77⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        78⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        79⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        80⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        81⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        82⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        83⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        84⤵
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        85⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        86⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        87⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        88⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        89⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        90⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        91⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        92⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        93⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        94⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        95⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        96⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        97⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        98⤵
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        99⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        100⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        101⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        102⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        103⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        104⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        105⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        106⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        107⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        108⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        109⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        110⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        111⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        112⤵
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        113⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        114⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        115⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        116⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        117⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        118⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        119⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        120⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        121⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        122⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        123⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        124⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        125⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        126⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        127⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        128⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        129⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        130⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        131⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        132⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        133⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        134⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        135⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        136⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        137⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        138⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        139⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        140⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        141⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        142⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        143⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        144⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        145⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        146⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        147⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        148⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        149⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        150⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        151⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        152⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        153⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        154⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        155⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        156⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        157⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        158⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        159⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        160⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        161⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        162⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        163⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        164⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        165⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        166⤵
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        167⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        168⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        169⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        170⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        171⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        172⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        173⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        175⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        176⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        177⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        178⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        179⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        180⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        181⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        182⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        183⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        184⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        185⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        186⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        187⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        188⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        189⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        190⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        191⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        192⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        193⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        194⤵
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        195⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        196⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        197⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        198⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        199⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        200⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        201⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        202⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        203⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        204⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        205⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        206⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        207⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        209⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        210⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        211⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        212⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        UAC bypass
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        213⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        214⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        215⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        216⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        217⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        218⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        219⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        220⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        221⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        222⤵
        Blocklisted process makes network request
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        223⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        224⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        225⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        226⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        227⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        228⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        229⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        230⤵
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        231⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        232⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        233⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        234⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        235⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        236⤵
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        237⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        238⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        239⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        241⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        242⤵
        
        PID:1460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        243⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        244⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        245⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        246⤵
        
        PID:2460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        247⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        248⤵
        
        PID:4812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        249⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        250⤵
        
        PID:1144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        251⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        252⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        253⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        254⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex
        255⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex"
        256⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQsogskU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        UAC bypass
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOwcwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        252⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWckkgsM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        250⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKogQIMw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        248⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYAscAUs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        246⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUQcAAYg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        244⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QywMogAE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        242⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWMwcIcw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        240⤵
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkkcsQkM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        238⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwQQMsEU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        236⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        UAC bypass
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmEgwwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        234⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsskEQwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        232⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:3288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyEgcMwo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        230⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paooscck.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        228⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEcgcAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        226⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        UAC bypass
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMwQMQYA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        224⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmMMAsMU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        222⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgAcYsMg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        220⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycAgMcsE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        218⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwEccEwY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        216⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyMEMEIc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        214⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WugkIsgA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        212⤵
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OswQUcEw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        210⤵
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsIQsYQU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        208⤵
        
        PID:2992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiYYwAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        206⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWkMMAsY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        204⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQQAEUwU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        202⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKUAgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        200⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viYgYcsc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        198⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        Modifies registry key
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUEMMgIk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        196⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUMUQwsU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        194⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        UAC bypass
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkYMQcAA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        192⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCYkkogk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        190⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOQQIwEM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        188⤵
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOYQAAsY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        186⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkkwgAEM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        184⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSMIkEgY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        182⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIAcoAUI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        180⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecckQogg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        178⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        Modifies registry key
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoIskIUM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        176⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiUYMosE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        174⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuwwkQMg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        172⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACEEAQIE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        170⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmAoAAcE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        168⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIsMcEEo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        166⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkMEcAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        164⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAsAYUcU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        162⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LakYwAsA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        160⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUYAcwoI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        158⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noIwYQIc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        156⤵
        
        PID:2460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAUwoMMA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        154⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOQYIUUM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        152⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKoUYIUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        150⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woockMoc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        148⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        Modifies visibility of file extensions in Explorer
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKIgsMsM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        146⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGoQowIA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        144⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZogQMQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        142⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUoAsEsk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        140⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmcEskwY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        138⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAkMgQw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        136⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUkswAIg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        134⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        UAC bypass
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUEkQQwc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        132⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOsAkkwg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        130⤵
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaQkYgEM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        128⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REwEoEAU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        126⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PswsgckY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        124⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyMUMEss.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        122⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCIkYkAM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        120⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yygUoMko.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        118⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmAEQsQc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        116⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaQIMUco.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        114⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiYgUIsc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        112⤵
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PicoAcQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        110⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQwkwggk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        108⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEEIkcQo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        106⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEwckgMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        104⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWYQgoUg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        102⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XykgMksY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        100⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZggUokwk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        98⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKYcQMgs.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        96⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaQEAYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        94⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkwQYoYM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        92⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        UAC bypass
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIUUcAkI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        90⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twAcsMgg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        88⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCkMEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        86⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGogUMYY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        84⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmcoMYsY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        82⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dggwscwA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        80⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCEkgEQc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        78⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWoUEUoo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        76⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCggIAsE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        74⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        UAC bypass
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAowgMkg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        72⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEIgkMow.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        70⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwAcYYAk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        68⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOwoIUkk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        66⤵
        
        PID:2944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cygkIcIk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        64⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmMcEIMY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        62⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYUcEsME.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        60⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWUgQIAo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        58⤵
        
        PID:4812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        UAC bypass
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqUMQEsM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        56⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiQQAEgY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        54⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuscMIsY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        52⤵
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSIAccoA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        50⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUcEAocw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        48⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        UAC bypass
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCYAMAsE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        46⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KagIokkU.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        44⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGEcIEwA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        42⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyscgcwY.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        40⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUEkgccw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        38⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niwoUIgI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        36⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCsYYYMc.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        34⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        UAC bypass
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYgIYgQE.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        32⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCswsAIk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        30⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYcYEMoM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        28⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dkkcokss.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        26⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwYwMkYo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        24⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMsYMMkw.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        22⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYMYcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        20⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGIAwYoI.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        18⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWkIMwQo.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        16⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSMYYYko.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        14⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIoIkUsA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        12⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqwocsUk.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        10⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeAcsQAg.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1408
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4864
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3592
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkQsUocM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
        6⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSIQYQwA.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1852
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQAgoUMM.bat" "C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4084
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3032
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Modifies visibility of file extensions in Explorer
PID:3000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AegosYsA\SCYEwwkQ.exe

Filesize
192KB

MD5
397d12e7bbb8c4c1d3b95c34ab995b9e

SHA1
ce993dc156bee027f39b5e760628e89aaf8d15d8

SHA256
e622d38ebceed91ed90af61c1ab246ea4d615f67713e181fec5ce72197f1c2df

SHA512
9b48e85e28e0b815412c64a71928a5954de9d5d24417c9f2e0a9ae2ba8cf931eeb10dad12955fd2fba6c9fb7d5dbc9002570e6ced49901d807238d72d29988d9

Download Submit
C:\ProgramData\AegosYsA\SCYEwwkQ.exe

Filesize
192KB

MD5
397d12e7bbb8c4c1d3b95c34ab995b9e

SHA1
ce993dc156bee027f39b5e760628e89aaf8d15d8

SHA256
e622d38ebceed91ed90af61c1ab246ea4d615f67713e181fec5ce72197f1c2df

SHA512
9b48e85e28e0b815412c64a71928a5954de9d5d24417c9f2e0a9ae2ba8cf931eeb10dad12955fd2fba6c9fb7d5dbc9002570e6ced49901d807238d72d29988d9

Download Submit
C:\ProgramData\AegosYsA\SCYEwwkQ.inf

Filesize
4B

MD5
9893225dec02603d1c11986a5b0a83cd

SHA1
16d5491493632b0075ee9e3686231b1ad8bf1a58

SHA256
189b9e4905012436a03e69f815b67be35b942bb75aebf89f2738e56c668fd734

SHA512
1bf0da6e407bd1e1fd0371a13dad8652d710ebf05315611b4c288ff276bcb41b96cb95ca3084b0c2e3d2208968908196015ef6fbdf375c0bba4c742ed7d1bbdf

Download Submit
C:\ProgramData\AegosYsA\SCYEwwkQ.inf

Filesize
4B

MD5
f469eb650ce0b70bc55ef6c8955bdf49

SHA1
bc29ae0ddd0591ba1e0ff0c81353fc49d6aaedcd

SHA256
2b6a9e18a4392b2fd2e6636f7065aedab07e9a15f2f1aa6821c493af5c294f1e

SHA512
d46d64518a607199c2254a8d38c33d642867e8a49e20ab96c5e217ff79b8dcd83da069c24be0349cc1faf21a8f1f32cfb83682f18ff966a2cc564f02d6c0e9c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

Filesize
257KB

MD5
34cdf6ea17aebc38ba43290d973d4318

SHA1
69ad6e8eeccf9e9de281705087932ae4d98c0161

SHA256
8c185971c6762e5bd70b12e64e3902a1b27fbfdd7165b4237601f7b369198a9e

SHA512
756c99c2e0fb9a33f3b13f7e56d88648863f6cce186cb09e034bd0efd30df76cae3446f3e639a01842d4e354966acdf4572893d154e681d1b94c297bb343003e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
191KB

MD5
514698f325cac87980bf5e7564a80c61

SHA1
1ffed944e7eb397025680dd26f5a13e05722f2c0

SHA256
21170a35c9e4c87712965cee4660e23432f5bfdca8c300a81fb6b1d0e3a0334c

SHA512
c118d8e9616c988dd3647ec95af0ef0dba321e7b14c62e86ec0a3c17cf13c29e4f8cdac1a93209a6f3159dfccbffa51253fac593f5139a5b8d05de7d6c49eeb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
b8f7cd3bb5db6e4de29ba6928bf8bcf2

SHA1
56b99f3e2b2d29fb3c7eb892fa5da7666c93cb05

SHA256
83e4576c05a98b06a21858e625d3a42ae1936153ea3c214cf43ea3333af74423

SHA512
4567bfceb011001b31625c6c925b05f3c0b90f78ded1c8ea001c5c7d745f4b60c8765be1323bc4e14d18ddabd9b2113d515cab02c6ae12ed2fb66e1405e2a1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQMg.exe

Filesize
586KB

MD5
7ac6d9926549993af1f95c04a517e91d

SHA1
72f6d044e15da51f38d67c076944aa4e15c78c68

SHA256
b0c2571a958a71898c00c004ee347c45cf076ebccb2173c14e04fe1be7e4338d

SHA512
c15e71d5869e202114bd6394ab2a34b4f5183963195d795cac44738fdfcf786c6260a91e45084964b7cc4d58834d71e20199889bed9af7f89aeba7ac6e6cb63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYgIYgQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYkG.exe

Filesize
235KB

MD5
875d269d2e5ea077a6748ee2a413a011

SHA1
701a81ccb3e89682e07c1d088d00a9f07afedff8

SHA256
21a45ebca5bf4d0b1a96d91aa1d1f9f9fbc86aaba53279986fdc4a712caa3984

SHA512
57078c6fb53adb809593223821f5ad403ded05b6eb2f81d1e6d415f52242fd47fc1e651aca0f5889170db8e8ecf83cab7af8552d2603aa8ccb1a1619531536aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYw.exe

Filesize
187KB

MD5
7d3dbc28c8d37fac896a26aedfebac0a

SHA1
0e8b608115385395b631dcfff5e2b9c5cd0b31df

SHA256
fc8417995b8878f6cb8959bc376deee7bc13b79eb3382b1ad35bee9e29983250

SHA512
4f0453024accc2afb84802784baa1283364a60fdef85b304967d5e71947a04cf84751a5d1cd5855c213b4537793a74825b549053f69df2df2c580e57eef1a884

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSMYYYko.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bkck.exe

Filesize
243KB

MD5
1a4cf631ed8c18fde415d5e277796fd9

SHA1
ed99618cfbcfa5310be1e39a18f28a9bd041578a

SHA256
69bb751e86fc045375fa159dbda3f706abe495c06378fe922250452a498bfba5

SHA512
92b092db309bda2b8be89b5fe3d064ed9cdfcc137d5ba38555be3165decccf75fa1bec61fe7eb2faa7bd6030b11196c7e780fb2da0fd34fc38cc212d56e072c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckgi.exe

Filesize
190KB

MD5
83fc16f25be21109d73a53041ae04b6b

SHA1
2be4c4dba6453c9bbf5b29077d12af05ba87ff43

SHA256
18cd25a48db84b400509d9abfe8666123477295820bb70be8a53ea20c393e872

SHA512
932a2fd8c18aceafe8f1ce53efef97989e455e3b3dca2a49764e4aed353bc8d313cb22a5788d3cc0275013c235aa7bee19d8035aaa244a47898db28d0411400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMsS.exe

Filesize
202KB

MD5
cce7ca1bcb67dfb7741fefc01b2f41a4

SHA1
c13f2a47b537fee197b4236e8d55c312b48d593d

SHA256
9959dc5692f1aa9788b86d27cfe4bc317cdc25e6104cef9c677bb4f2838195d8

SHA512
ed8d732bc78567c9272f237ca6391d1cd2d83e23056cc1426064c741634feed66107541f26e759bbee7b34a51298ecc229b849344c5f8370b7cad967ea9186ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQAgoUMM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkIa.exe

Filesize
201KB

MD5
4738370d2f27d2fa2cf605a0cad82942

SHA1
badf553bd6512c60d7284397dc432445360877bc

SHA256
c8c70ce97cc57a89c8fce121a42c09a1f766d15a88b7d052f8e16fdfcfb08db2

SHA512
7cd07108c2166f702d61b7b889ad987c57a82ebe7a319b397f7bce2344f866dfee0a6c2fac9ecfc86ca16ffbbb964f39543cef9d906411640a2415586aa52853

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dkkcokss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUEG.exe

Filesize
202KB

MD5
9b3f32e95d430fbd7ab7e288ecc51276

SHA1
4b5e8c9757e880c7807fe0ce3576494ecf59eb03

SHA256
e66367c08c2644ba06252beaab3c95d259bc33a3e8d55c06e80b25cf44b8aece

SHA512
49d485c01e1fb7c54a1d01b18af712de6999cdf500b29f6613d2629611576b05130d6210efe5765ee3a4a979262c368b095e0ba263ce8ba959a49ce0d1bfb184

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQG.exe

Filesize
220KB

MD5
a60fb14b158b10b875cbf2a798fd06a5

SHA1
e8b270b7d8828083a6ef843443521ee786dd3bcf

SHA256
59cf61a00224861d2abdc27337739d9fbf746f6881254b37e8b5a565cdde4dde

SHA512
35f6c98740bacb9ec6c3a4626ea146482bfd69b7f0430e5e57bf5b401da0d85fe1d2c1adcac741246cab691ec9f13338bff6def267c10599e6f54b81747bbc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\EeAcsQAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekco.exe

Filesize
203KB

MD5
dc986dcc9b6f11bfbd6965d505f99613

SHA1
034c8edc65124bfed86e5195cc1c01bbfaefe698

SHA256
466a718f4ad592ab87d13b78879c10ffc8cbad14b6376d48db12f70d78ed376e

SHA512
589d3e307f35153b3877a7a4bc716d914f630170f22b44b96aa13fc04f66a1696db1fe541e9299aabffc479b989ed86b3ce058c058555d135bf59df9d373fb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsgM.exe

Filesize
412KB

MD5
97b45efda46679b71daa7ffc5a1465e4

SHA1
8734b43323c4482230f76e6e3bd73e3dbd948ef3

SHA256
5885ec4d83ec53638ae5a0d0f186da0c5dac7d479a852529aa87f2755a140f41

SHA512
f6d7c137c600d5836830fad62647d33979f0bb0a5133581812f6c47b7d928ec2c40c27ec5970ec76d7b143883cc6b1819db73c8b70472f3c0f365cfe1f68aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gggs.exe

Filesize
620KB

MD5
a5f8cabc8c8aae065bf0d2651bd01310

SHA1
4cc9198817315dd635fdb8c3218a8d3a16ab1fbd

SHA256
43024578307b65718351c7a921fe0c232b295eab3025a5a5a686877cedd0cac5

SHA512
2b14ea395bf8a231b01235170be2d95d2a8033ec56f89c50f1a1cc6ea9daf406e51df27eb5b285e8581d15d067a1af22d57f1836e3756797fe52a64caa1d04fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgwO.exe

Filesize
647KB

MD5
61a7ccd6ceca23997b709356cf9b3da1

SHA1
f0171c6f5cc34c091ff8c199d5571fe6fe0cd082

SHA256
d1d8a032ca5a8e1a0b7e40c2700d9d0240de2a2cd1f419b6b69ce7ccf6c5557a

SHA512
55151b35309517afe66341e2bebf9d6725e90477887c171940e85be02189e65c0084df9b19596b06a530f798ac2f049ede2a4bbe2b9d1a9dbab53ed69b6d0383

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkIE.exe

Filesize
182KB

MD5
156f0f09b8c2338b9c86d5b785f80de1

SHA1
d2b0b03e0279dcb0b8cf8a1574034ab7e623e89b

SHA256
9e108760b0b3ac569e9db75f1e731085afc8e3bc00c8fd74481e5b1081fcbacf

SHA512
b625e0632954a6a4dea53db6b66acf5035cfa9f7b53fb8f6937e4dd6f2f33cd20090622c2a0565ac082b50eb82e996c2b161b93ab766e4a1f1e78d2a463fa08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAcc.exe

Filesize
197KB

MD5
642378824b4a35063e8c8515bc046297

SHA1
7563228efcdf1ece474b76e93bc808b0525764ec

SHA256
14c23ffc7db2a07e50631051b53ab06018dfeaa32347d67f7cc028e06bea37ac

SHA512
79e5b0486dd52f01b3cd3846a72c3eece6b508974152f03b13147b55e655f60338ccd3dea83b5d5ea4e2d79a8bb6fdf03fb6b1e2365d2f3baf51203ab0832a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMsYMMkw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAMs.exe

Filesize
230KB

MD5
790c8615fe3d3a9cf8701fd74b4cb365

SHA1
b8ead9fa1f1d1281b468e29891f3855842d58448

SHA256
d2c9493e76064bd0fef46b30a8fb6f0fb157409f5f5e61044b10a1bfda64b69c

SHA512
771c0f5d1271bf32f3b5e4a936042ed88a8c813b049531c0b6b183464e8e493fae0993d18e9ccadf8842fd335139db75be6a9e4dca0a874f1eeb3a579cf03bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEQQ.exe

Filesize
409KB

MD5
6d00826ef703c0f9b2d787d0c76c4c1d

SHA1
717aaa29d4b5bb3f5482cce820c0eedf0e0bc422

SHA256
ba3aa4ae5524309e057bf2af246ec3ca558d6a9de970fc36844750eda6399752

SHA512
147d0276f6030b4209bb6ac22767b107ab9940eca2bfea5c5807c1aa789a8a037f08583f9840e2a94e93fc11a61ee1c48fdbd1ed37352208ef5daf177f02c439

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYgi.exe

Filesize
186KB

MD5
f303e453adb15f5232a58b93d423bcbd

SHA1
b169f6fc260ffdf9c7811128a053c6c27ae61cd6

SHA256
5e6f2ad359c0bec9fe17703eec59208f53dc92dbc76864288b2f072882ad075f

SHA512
8f8d28b77b38aa48072af7fb50024e138fc853726d89e9c625cdb8cf874b754393b90cc253ee0bef2e8b23fbe91cc733eb32454beb3ede632ce9e965f030d255

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcEE.exe

Filesize
5.9MB

MD5
6edbf914348c6b3ed6fc3aee688cb1c0

SHA1
f9159a890d21e1da1f2a96e20c5d592cb3c0b339

SHA256
ec0764182228863e3bcb3c29996ffc91bce735e1ba215279edaa4525b84578ea

SHA512
53f561d7f3760d50ab9cd2af844951b250b18e7bcbefea5539d4eb371e6a4388cd674af7d58c387f290d19a215656f7d5088db91fcd4608377270474d7a73307

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jcgg.exe

Filesize
191KB

MD5
609561324c37fc98d875c7da5312ff8e

SHA1
a492d6bfb8b730d063b2e84a79f645bf99a004c5

SHA256
e90b22779880475ec5096fe47ea3621604a32d9b4aa7979349fc4c9fa7c05af6

SHA512
798cf20301017575dbb9a82e6dc711d7c8a4d35d89a6065f5b30e5247fa76b478729180b30071f4e47f7ab82d2c58cca2ef63535893a0f6becb1602e84ef042c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgQs.exe

Filesize
655KB

MD5
93ae606017413c6933a4e47fae312806

SHA1
d815f8c0f8031036c36aa0a5151da7654231502f

SHA256
94256525b1bbaba25acea3315f41f6e3d8022db9c2ff2f60f03deb4fc4f422b2

SHA512
b23258080f18a8b3578c406504fdb366af9bc7b7b88baf50297555a8cef7de461514683155ace7ccd93141e786d428a832c16c18c106ca70067e0096ca4fdfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIQg.exe

Filesize
1.8MB

MD5
7f67be1862db5839760d424585b1c567

SHA1
aa091bf36b5012a0a885bd0be8868e219d42aec5

SHA256
f20d2073545241e55feac29695bcf099ee1b2488492f2f792aafcc5d20d50adc

SHA512
667ae3b05255737bacbd96adc7ee8e2c6e461fba7c588435ecc0b4a6015bed9eb4205075541d46b789888111389e6cec977ff2adfee3266f521b877c37365dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcIy.exe

Filesize
184KB

MD5
a84e56b3e1e522b8c1e0d691774f27b2

SHA1
9601f165c22c13d6212385d1c8f9fee899d1ee5b

SHA256
044bf9b0c37a0ec7688602315070055ea45d720328852eb5fcc90085fd07bb2f

SHA512
81c57d0f23a81259aab2ede5ab91397d4e096181b131ed59c908b973a26f944f17f94ad6de1626f63ca1374c248a79d8e7991ddeb5fca42c3a2cd6ad340b19b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGIAwYoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIkY.exe

Filesize
196KB

MD5
77f81bb20413b924a1f1a471c2e5b378

SHA1
0f470c091c7026b8e5cc25bccc5b8a203e40e467

SHA256
4527cf83b9c7b82f4861acd7445e25ee3f60d6d1b47c1c881e3b58298678810a

SHA512
25ff477e4fb367e19fb09adef896d3f88bac2bf05ea9d7582083e67f3c1a8ae2789badc3a64881f410294ffea3775fe7f83074dce8f6386633a157a744dce47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIwy.exe

Filesize
329KB

MD5
e7d394ae0a9b2e78ac731d842d6fe3ad

SHA1
61d54458edd71b449023f98133e3f63730eb9976

SHA256
67b52af169f8ecbc0a61937ab4ad4067926fb54ae22aa5d8b9f508d15ef4949f

SHA512
494c1671bbeaae739a8cda09c1478ed4d522a710356de36e3d4ba8473e0c32f0fd7492f7cc4907c4f72b03c183930ac4b394621c9c649f2d60d9b0335c6e5875

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQIs.exe

Filesize
627KB

MD5
269fdde181fe734c8eb7535c4f526d12

SHA1
9d8924c11a765f1127d58e9f5ca4691a3c5fc116

SHA256
ce1455e0a0648590b773920d0fbef6d6d4666d15ea7360a058c8cd51fbfd9064

SHA512
d76024637158f0c0d26f1b0149674cf5bfdd86081e18678fdefc1801497043537f06a9d05783371770787119b446425efc683dca18a7c14b005fcab91e8202f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logw.exe

Filesize
188KB

MD5
eec6cde030efd18b5c1bb00fbe99c903

SHA1
b5f79cd1e688cc83cb58d76b4d75024f522701ef

SHA256
22c50efd9e464ead39433969dba851245ecbea59a0397ec3c4f3605a01e0caf0

SHA512
2e5413266017c87ee9fc692eadf14bd9666fc3981c832a61a2e9e21d22bd768c8819897252b15b78abf4f05e848b76c2eee9d1183fbad1a0c3132ad3fe0982d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwcC.exe

Filesize
381KB

MD5
bbdc0b8d1f47896576e16b5c69acc43b

SHA1
5dbfca2f3837ff823e39b5a8917c2474890b3668

SHA256
2febe8539cc29b4e78ca73cceab18ac4e9fa207103405ada74e971048408bb62

SHA512
724645946e16fd46f77607a10c32058e1804796bf49b16c61628d3795835b9f1386169bde9868a23ba88ff2e314bceca45fb3c1e181d8695203041d59f42d0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lwwa.exe

Filesize
198KB

MD5
6fed635cde77a1f400452b02355f6cc5

SHA1
51635767f06017f6ac8658ea363f784b86ae2fe1

SHA256
4c58edd087c22ca339c54e2d78e93c1951bc1127d69ef3f1d98a680ba191adc7

SHA512
963d0b123ba83a5e318550ba3d8dbbda6699ef019e708f52960e95c47de99931e89da45fccaf03063be393c4c91010230ac9759118dd481f55a28d9201e3d34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIcI.exe

Filesize
216KB

MD5
c466aec03a531c373fe38618b67d09b4

SHA1
18d27f0a25c11e06f10dbaaba4aec228e4470101

SHA256
09a855654f106cdd14afd209977e31a4f239a017f33f92fbcc244c5077db7d3a

SHA512
0c789775c1430a731d8850e54b3697a7f6c6010fb787904fe8eaafce1772479ff7779e796b153bc4030d00fa125a32ce2017f8df3aeb089a5195cfc1c9fb9d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMcM.exe

Filesize
434KB

MD5
7df588c1906af3c1bd10de265ec7f4c5

SHA1
f7819e5e93e6e9e523ee8e8ea6b4f64f79cc17cd

SHA256
726d6d5931c5c17bd23efcdbb532bf4df954edc2e2d1fb8c07915307a55b4308

SHA512
05320930946b8fcd2240e20fdebb7092a892cbec647dcdee1f331339bf7c85a324ebd154920581126c14cf05c56f1a7c3dbd93d3052bc20c20169b975d6235aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUww.exe

Filesize
227KB

MD5
782817687bdf3d80aec372c2ed24fa45

SHA1
231ac2d48a9504dfb6e872d0fdccb1b2ac7363bb

SHA256
958e415e60c54b730fbc37359ca6e901d569bb8e5c46a72937e73947c342cfb5

SHA512
0d95eb5e6266054e21ebbc202e239bb8cea2eba33c9375841f63918d68008a59239994cfe54ce3c5848779e91b625f8954ee0f136e11e277448e839a750666ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoAu.exe

Filesize
832KB

MD5
ec68a672a5059aa2425c670cab6f001b

SHA1
a66a3c7488fc17c4bb491d66678fb1ed2e46ad14

SHA256
4b80eaa75113346444abc6fdc3abab866a9d929f788922054402d52cc3e999cb

SHA512
4d261f138f7d75ee37616c3d8d8663e1334f4ce2bd764cca3739004651fd28f917b4907c333ca19b41b5c49d302799877076aa573a934060eb8e38639f2a199d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAgy.exe

Filesize
190KB

MD5
89ee9ef88a6aaaddf70e91c2322ab7a5

SHA1
778e0d94a2cc5057f277bc983128b064c7ef92ef

SHA256
825ecc0b90c04d288a73d5784d8b7da5e3634a121bf3c4fb5525526f39f3c7eb

SHA512
f7067bfe94b948bde94dcb037d7a48eef4fdf3f9c5336d14bf206ccd96f1f4d4704551f6658fb19642e39f8a6dd43b0e35ece8cd71f9841cc42bc9ab07fbe796

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQAy.exe

Filesize
185KB

MD5
67ec8b8f81a65991231ba6d580c122dc

SHA1
7ceb31ce42b6c42a64668b8b503d270fcc65c663

SHA256
9b9421d3acfb1763d3bb0a218dcf1d4828037594f9f8aa493f53ccd59f05fdbe

SHA512
1740709c067feb095cc9dea30eaa2d9c4580b4642f76228d762062bd1304f6b9180a21dbfde4e30ffaba709d24fc1220b409d6e9bf27a911f7f438e7575ab511

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMA.exe

Filesize
184KB

MD5
1471e7dae157dd5e219a3d13bce98a91

SHA1
eabc165ca36d0285e8d38fdc8f051acc169e4e1e

SHA256
e7d2a037edc17a6e4a990178ef401a66af2a32c18affb9ee8a9aa7e12045913d

SHA512
623779fc1b70eaa6d09066042b0fc0c59578acf8cf489323a3ecceb7deaabada90069bce7358985f255460d383150c8c73299fdfbaa9256011da41e6ec679626

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcAc.exe

Filesize
204KB

MD5
3aa899a0255f798088d692d99841918e

SHA1
69c11b543a41a6e8e9b251c1ba37d0d23d220538

SHA256
d939faa6b063b0c8999607a4f2230d2ea92d3d8da69e7f6bd308d352937727be

SHA512
2ebbc7de3cf5520035abeac4195107e6e1e653b00e845f71c0de69782c2359c88a019a596d6d58a587c7f9931e39641c8cce9a11961e3f93a1ca4f54586461dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMwk.exe

Filesize
634KB

MD5
1467ee80b8a8c25c89a0fcf4956897f9

SHA1
ee7981abace07c64c79cf5ba23a9c12ceae8b0c8

SHA256
a1199dd4c7988aa42b9f74093fc04bc02ec8f4732cde087790e64c223814bf5c

SHA512
d00727d13c4b630e12684554c2c05bd2e093b10db5d47540ac32e0383fb915f93aee6e07750c8a2f05008f0e75baeba39201d606fae37cb66de33c4d1730e7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQsC.exe

Filesize
191KB

MD5
cb7ef7f286002c72046e38818dd9195b

SHA1
ea34a82d9b14afa694b53c65d24cf843eb572ab0

SHA256
129d3a4102998c5ab2646aaa7aa24ba0113f090bb06068aa8b7c5e6119922254

SHA512
e0fc830111ca023c971f4f1772290f2c9c87c6fb6fbf5928a814fb5f01860a205e484cbd81b58daa4fb3fcecfb7d6a9346b35c776e95ba4854b53683772828d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYQK.exe

Filesize
613KB

MD5
58b53cafd18913ec463c4751284f3bd5

SHA1
f51c2e8db1f3610af6ac4fa1cf6f673f144f0aac

SHA256
f161ef6b70814a3bb9bc15f3957293e0829c2b2b68c1cc8c7620d535aacb76e5

SHA512
1d832c96b00cbb0f81243fefa0b81d6a320576dda31b5ce6131ee7974ed0861ae778d699e2d48ee1d3ec5d1b50d62c495d344d33287eb78ae8bf51218443d22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkcw.exe

Filesize
188KB

MD5
85741e61401c84792b7acd7f8adf0372

SHA1
967bfab2b59900cf9fb67e94a1226d3505fb819b

SHA256
865c264e8c054978cde6bca635f100955e62fab016a8f0b1157213e20227a3c8

SHA512
7e07c17c9a320181c99124a7cbb019e4e13f9c0c12dc1010c8776baa195782760b4a24e9c0e73f1bdb9ad052dcfbb9f759c68185bfd5c14fa7449fb36e64df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYMc.exe

Filesize
825KB

MD5
9491a7ad41a11b841b03968f06e89e66

SHA1
2971685ee9d4c7b182a3518c58f31ac60c97f759

SHA256
8a6d822d9208b8dee9a6cc673658ffb73eb95877cd50933b577f6048ef2e97b2

SHA512
2175fc175fefd8ceaa2adf08f0893ddcd66a9cccdc4465381dd216d8a8cb73e61e2068143534ba314fff9382aec368bc70c4f09ea2119b0864580a6b506fae0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCswsAIk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSIQYQwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYMYcoMM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rckg.exe

Filesize
189KB

MD5
2d74802b75e4795c2c102320c6847b1c

SHA1
855f255bbaca2d3ae9476d623014754f09d435af

SHA256
087d29589aff6a56e59b4011b8e2fa5500f749028fd257534d0acbd44ebeb5f7

SHA512
ba9d5f04740f048835c8251a28ecae502e4d054cd7aef092a3b6a7d8569812f635c7f907e95117b252f9dfee119f39493a938eaa7b1e8b948c597bc85375eaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMUs.exe

Filesize
207KB

MD5
f6af1adbfd6cd9efee898c2cf99e6158

SHA1
8ebf4b799deef767e018868a3caf1291e7b0875d

SHA256
c2e745f33c2d34d6155dc50b7767bd90b5469b4923b756bef600d318e9dc7235

SHA512
639f80bdf3c7ca2ab10392e06714437583a5f8ed3eb3a95e285e6b88949ae130a75909e167caa7c8d17c64439d90ade6cec1336c131845865df4bbfed8f8a1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYQk.exe

Filesize
194KB

MD5
3baf2eafed7d64cf840f5eac465b7e18

SHA1
fec97afe551d061e1cef32fbacb5dddd71e735b7

SHA256
809fc1c9c6bb9a63046c0d044bc0a38e206fc464c20fde30f344d364e1f8476f

SHA512
63f746a19920fa9ce5b303f8d8abe9a0eef9d607c60e51b309de5ef47378922cd71213a2ac4061422b983fd57ba0c953c803938155a841a25551805dd9e04dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tkwi.exe

Filesize
310KB

MD5
4a7ed809b569663861677b678d146412

SHA1
51d314e5e35e793b183c927a9040ba70dcb4a5ce

SHA256
7ac27b8c63be633aca669882be9c134aa913b933787279039ccda90d041ecb49

SHA512
75c8b8ff9e291ea623c69c2ffaa47af46b930961db42894d1ede7c9fc0762c11bde427426ac041bb4d3bd52e144f99e25f0341d6d9663cd6d930755216a7aee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsgQ.exe

Filesize
699KB

MD5
c7496851e4e3a539315ebf9b7acf4d56

SHA1
2070a3dac3a414aec3658b2802a14177dc89e416

SHA256
108fc164b08c3bed8e37e477d016b2a48db7c7b3bc066a1648f0c71c9a052b71

SHA512
add0466f43a953ad3f0be34cbcb769c71a65c2ecf34807e73355b4131e6a3f032ea81208230b123c6f2201d1204d4c48d4bee543b55324c5512580658dc6133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMEw.exe

Filesize
214KB

MD5
50d330d4f60f1e877d1b4681d1527bf2

SHA1
5c102f35cd3f15eb11f1c2a13f35f0eaa22259b1

SHA256
19dcf4657d3942a201efbc9bd96fbdb9fd569d60b15693a864b1b4319eb4565b

SHA512
25cca4295820defd8c96b2fd0c9e2af817b4b7f707dca158e6a5ed8843df0025e59e79fe00cda23e8a52ab98b5d267420e0bd13248dd6a4dad17eceae453ce81

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYsK.exe

Filesize
202KB

MD5
cd88239d575b22ddada79653c69f57b2

SHA1
80816b763ca85ad0691fb1f2d4d8025c2ad08d34

SHA256
7ecef27ca56aa70ffeb2dd706fd42aa879400b35883053eb4faab3334e5c2c16

SHA512
1ca4f350d10e29120c92c22d57158c91730aa8946ce174f3bbe6538fce2c6dc66f81f156ca941f6d07f6dfa7b6917db8b4ecc5d82c2d0495399786618bd0f6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAko.exe

Filesize
785KB

MD5
6d75f7d3336828cd81254d55c1c96aca

SHA1
4ff56c07fca6a13022b0db6566111cee9b5482ae

SHA256
716073b4ab148110b703fec01c44bbd9b380cc02971e3cee7cf8a49457f55f31

SHA512
cb7933773fded8832b529d5327e7a455b59e5c7d9223a21a4cdb6d899d7f94095aed1d3307c8a5d0e316ce25d8f5de45f698c6e42db3464fc620c8a286dddb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCsYYYMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIcw.exe

Filesize
226KB

MD5
9301bc0b6ca876733d9f3b7639b4cdda

SHA1
35be8b43b3429b8877cede4e63894bbef332aa03

SHA256
5c378f189203f5c6b38b6abcdbe8fd52798b4f24d0437c25f92e21f2f0d497e6

SHA512
388e6d0fa617ac4635b6e55269e966595405eabc31f0879f639c570df3543c82302ead780c84d039697a7348fe0a9dd7662545d0f8d45fbcdf04165ee0b36270

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcIW.exe

Filesize
188KB

MD5
3b717f8e5a5d3d19549267364dd90f67

SHA1
e98164f9a8a791a9b918a22425b92b24d1ced6f7

SHA256
cc2a82ca48b4c562dfe161f3c50d1cead874a2c7a7ae4c4a50eed113b367ea5c

SHA512
fcbbf72ee2d2dadaa806186be2b4d2c3781b3c5df5448adbdccbce9859322d2e662a337f8931d031cf358d01c63eb5a6102593db03162fd45935a973579b7185

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYkU.exe

Filesize
202KB

MD5
fa1394d2e5ba0f2a19b8dc447a41e645

SHA1
b7a4af03855590a88d12d5e6ff60c98e8e4be9ad

SHA256
3ada7bcaca72add564211e761f33fab7d339ad8f15ee212a09e13721c1c4da5d

SHA512
ed4e0d7a9f94ac44fa322dd2a8e674167ce1c6170a2e889e6fe2c2ef95644912d12c5b68bfaca3f791c9071d44af8a11bf16bbec68f05c0581a6e1d56b93d677

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkQc.exe

Filesize
190KB

MD5
654622970702d68f0de587ff27630415

SHA1
f6a6a3fc5519e7ea9d20b23adec36151310d8b7e

SHA256
b163d62c531f9fc4e3c90ee6072523a123971b4b1ba8fb79eda3478e7a62eaf2

SHA512
4ff0ce90457c38eb3a971711f91b903d046331e6f9f1ce38cc8207d11fe891f32cbb6440928347aaf84f123df826ac5c1fcdc466f0ab9eb7dea00d0bf81b52e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIAA.exe

Filesize
673KB

MD5
7fa40399c212233e5b52b9ad9656a564

SHA1
6f18b9a1912d35b9ae8ee87a8d35f917643d61ca

SHA256
314c1b17f18731893360e5a3120e8d7d7d279a0451aae4aa2c067beea26202cb

SHA512
37d699e7e0152272fb641d8ac6d60029c303e72d9ec29ba65819d3372ac6af2ee30e66147a7f8e6a83dd20194c5113595ffa3b705f925a9b1d54ad6512e53112

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xccw.exe

Filesize
186KB

MD5
a94abf7030eb20f72caa3ab66714037f

SHA1
adbf70a0212cce0f3f6bd8c0ae39354eae135b05

SHA256
50b549434b35b6c6ec29ba2b2a337071958848e01c8f5e6cdd63602e863d86db

SHA512
2f5da7133a315d88ea2f948f7db870b68f03dbefa0ab9b9bd20b84f77dff71721441d3461181081326a323f5761138696b884a892b9c5de7710f3ae62628b8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIoQ.exe

Filesize
203KB

MD5
fde4b5c8f429b3abec251b8dd3795319

SHA1
0b839422f9f92146a48e529713a7b593cbb64306

SHA256
c479af9159c002c8fda8088fa281cd79252039069ee8143438acb688bc8f6ae9

SHA512
02c8b89041df3ee9be2291c53479c0959d569337a0b68b580a6c5f0c71f56f0aef37bfee27b2f52699f76cd80b15998fe05d3d1fd58fdde8c878b8adce7afcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YocI.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAAI.exe

Filesize
590KB

MD5
b5f13df17ea352c0014a55e52f586833

SHA1
3f2230455cf8f6710b7568d662420a561d63b313

SHA256
1c9072649fa1174b51a50d083799412cffcfa87b9224e678dbf7bdc38d12c16a

SHA512
de2247075a87c1ce85a0bdff1b92f91497f1df0ccd1b4d7d71d4ad079f5e11b3cf01e991e2ec6b2dd75026d9890d535bb646b74819058fcaa218dcbd01a46d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUoI.exe

Filesize
434KB

MD5
d75a145ea8ddd8e47977178d072c05fb

SHA1
9a215bf81ba86c49b4fef938906d9c74b4482e38

SHA256
a5ba8b758d053d2f26f4f52b4a15566f5877d9461f13a67ba4912c31ac26f97d

SHA512
281e50880830656e1a4e3d1b374897e20a2e26ca442933aaf14643592ca9466b935e089aa1af54e862a4aff45f61a2fe3c088140a44368fb25ed5edfdbcee18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwQW.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4ab2c140478c5exeexeexeex

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\agEo.exe

Filesize
784KB

MD5
17e878ceefede6978af16a7a10b66847

SHA1
e1f7bf1ae4a135c13499ff2b2902deab953add37

SHA256
6b9df395c472bc091f0172bac5463485675058035f89058ab16b5ac214f4ff0d

SHA512
7cdae82061e2e2b3fcd11b521249a6078a9cc76158761fd975ccdd8eecf52355b0eaa387aae3ffbe4b8ea4991f59790e8d55612e65249cf24f2c984b527acb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\agIu.exe

Filesize
559KB

MD5
a8aa86467dd34dec525e7caff0411596

SHA1
7a7101e9029d007c64858175c66f847ac23dc7eb

SHA256
1c5229d306890aa17fe26fbb82b410de14a51a2b77751fb7e7e4a0f35b09c5a7

SHA512
42d5d7b96097e4fc73f685041e5b205ff9f21d191c5a568cd48cac19c178d3ad8bd1cd1e07c23fcbf04227c3d40646bd1373d003d5a6bd4942b3cec5626e6211

Download Submit
C:\Users\Admin\AppData\Local\Temp\booG.exe

Filesize
208KB

MD5
8c50a32a2a6a103d04d5cfa77403ef95

SHA1
d8b7d50549f327296a5540aa5cea91891c582994

SHA256
a18742cdb66929b06d9cb36f894ee963329ca76cc8586be4878846d12d03e155

SHA512
8ba801e6771b2a3cfe164f1e826233f63b84151f6456aa39fe641185a79f814bb3c8ea5c70e56b56f4f01eb6fbcec839e4bb6fd4662b63deab2d7804e082becd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMk.exe

Filesize
192KB

MD5
0d64d779d27da0009999a9687feb6e54

SHA1
87aee7861eabc8c6a479f695540b79ae00559c1f

SHA256
30b7d11979568eaa4bff07fae46bab982ea289fa334da097a726834568802d2c

SHA512
d39630f4490f1a874fe997fd57ed776ffb0631baad01d8bac0f7e4525c38943e3d980819bcef5404bde0283d8cda530b7c95bbf03533b9f0fb2304d770f6d882

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgc.exe

Filesize
187KB

MD5
e5a948293abb91fb5c99634c7c5e1efc

SHA1
759b0f7759f2b67165983064cefeb337e71cdc91

SHA256
bf2245231bac6b5cf6aded57e3c55cbc42d2d0bed9b819024b8b4d9c348e7981

SHA512
2407a9d3bed4fed554630ae90f8be5dbfedaa94f5a23beb9ae6539f696dc59715aa2099b41ded2ee4dbd89cc7530280592ce1a406775b55c04bc21db9420851d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccMY.exe

Filesize
1.5MB

MD5
02c387adf4084413170df702399775f5

SHA1
6eee2158a91b5be323c0a165039169da8cc6658a

SHA256
9b1faa202d80f74e65ded74e63ea0b148029dbe4f167e5718f2c93db84d0c376

SHA512
7830b1a4a8402643656fdac6c3aa42c677756e7c83a62d2dbbeadf944c48c050f8dd7bfcc0e31b7b6c71fa29c14bc38aa3a79bcba2aa5ecd188f6e9fa15d0ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcAc.exe

Filesize
205KB

MD5
ddaa35e97934aa45ce546cfbc784c891

SHA1
532696379a07f717ca3c7f0b318d32b6c35ee16b

SHA256
cc633d37e69158313fbdeb16e4a218818b0c5fe128dcb26b97832cd9e93ff9af

SHA512
7d36fa39eaf9bd2c11dddf1c69b408c52033aeaad49b2c009bc762ece02718b7892d2dafe62ee0544614ae4b920d3b0ff30eb1fe1008ae49a0fbfd7e26c3c306

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgku.exe

Filesize
205KB

MD5
da723be7da0948965b1e29cb0aef8d0d

SHA1
78a36ddccb9fc6c78b690fbfa456a55fa0e6a54c

SHA256
c6257f542acf2bae0528d3eac9f36fcac249f5168126b01d3fcff040825f464e

SHA512
11b52cbc5721b7cfb843ccbcefa3f93a4feddb5109e6316030670960538902ccb50009d800e6a5a437db51c5a02b3e593d8c462d4ea08d505dc2ab3bcb3af032

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAsM.exe

Filesize
740KB

MD5
c6936bad1df5559accbe6354c1d51632

SHA1
139dd661ae356a583ee2e7f242f13c382c5a72b8

SHA256
212c8ade7b9dacdba845ca630f1dab2c00b38606be5f5c1b316b9feb8954009c

SHA512
1e10273f677dc931c675503c3897cbc9578fd01648a3e484b574af4afa1440b550f71f010bceefca9da84eef41bcf45033042de5b8a098a0779f9a9d6410d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUkO.exe

Filesize
182KB

MD5
71904096d0c025196971a02ba4710027

SHA1
fd6f978932f8f99a931d2777e26134e396e466d6

SHA256
5bb698e28eb86e282594ac3dd1d9e1aa279946b99bbf6122a2ba62a6dab8b1dd

SHA512
ca6519ca9f7e26939b8758227531222267f58ed936e0ddce0745c2c2b8c44167dd66d632d431bf2b31dd11448974f6e5e6cff4433563ef5bb35e02c4df6dff4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekku.exe

Filesize
758KB

MD5
3c2f41621ff250dd288078c9b08b7197

SHA1
4d0e5207713d81f5434659588eb5e514012931c4

SHA256
5bbe278488eac704d9833d8d6f33d3c868d007e83c6dac447106af84b24c2072

SHA512
073029872237fffc5483cece83ed947ebe9abefe575ca39fae5c360bf16571cb6649b0f7e1b414313a3b549aaf3340c7dc2e01f44dd4fa9e8ec0674bb51e4c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYcYEMoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcIC.exe

Filesize
190KB

MD5
484871136b2171a944ed868794f307d7

SHA1
3b7738f7e9727d47cdc5011414a671367fb1beed

SHA256
ff8063cfc27b6a20a0c956f4776a9b62345b24b0c3a3d19cd3bc27d7e7691f99

SHA512
b4e83d278d6aeb7d5858d67637ef06c12a3c252e49e9472b302209f42cd82f0a970a3db0f5927c2542f0412ddd6baa8676dc609ca86da94cb6ba0e8c9aad28f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkQsUocM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkQsUocM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqwocsUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIYm.exe

Filesize
205KB

MD5
206ab3f0f02ed355439d234c573dec7b

SHA1
974148d602cd73567d133ef5631835964793dbd5

SHA256
41ba39dc3f6a020c9501dc6416e57eb5d1ac54483023cc011229f0ef9e849519

SHA512
1dc1579c44d2946b73ff66dd5dc965e1c743b40865626ef7582150002455a7eb7c957e5278c99b3b65efea35ad6be76e2ad24bc746cebd6c65d460b95b69e1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsoI.exe

Filesize
763KB

MD5
f57315d131bef33b0841f6a097c23a50

SHA1
9628b6355a956bf390f71eef41537a8d61517213

SHA256
91c8958acdef4e10ff5c0679b38bfcd3805d14ffb38e3f696188cd2267c13de5

SHA512
74128e720fc3369e9609f34beacb4895652e5820086ae7d3be15fb7f5e0c7f09791b05499253229a9a441eb15f89fddb2b6b41b9f5ae65400d2c7a3cc53c17f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAMM.exe

Filesize
190KB

MD5
1ca3bfbafdc5d3fb2e0ecb93334238d0

SHA1
b785815de03c8cc73a1e00185ae593ff1c662bc9

SHA256
ef8222d4db07e4e7c38ed399349c45ca577f4f50da1cda6e6bd1928597d4acbe

SHA512
a57777c47c22c5260133565131eaa4c436261ff6e069cf3f8e458db284228589939ced8e08043bebfeec6c62da3daaa8274a1e0b2dda74bed12b8a360ad7d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcgU.exe

Filesize
189KB

MD5
91e6c744356f7a5801012573150ff174

SHA1
7165f70f3f9e132ab7ba6c19cc62f43668aec0df

SHA256
e90aeb0875dfada1871b453b539aa07e091b36b49373b095cc1239d9d820611f

SHA512
65972295bcf09a2b8adf0191f3c8f48e166c0fae17da5fa9e31248774cf403d657922742c142f6ffe16df6a4130876168b40abc12ffbc1a85d55a59decc0b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwcA.exe

Filesize
442KB

MD5
53a208d6041f9dae3e635e196540f06c

SHA1
bb021b2733eaabfce4eaa925760ea2b5d048db45

SHA256
d9a7d020d406c68167d150d07b7ac973331cf32e3d7e85ab0a4d4f0005abb13a

SHA512
db55306c610c4b2bc9f3ac5901328c203c5679e9a1dd047ddc98b718764a8d663abfb6beb0d67174caebedc881b99f0af465fd174c849ab4816c5996cf946249

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUQC.exe

Filesize
309KB

MD5
f72223b949941315ffdbe3734b01ff70

SHA1
6b005bded9a771745c3d58a10f12e7a5e382c3ea

SHA256
9d1a27fca6f1f5d9f0b2c7a4bdb231cf1195e58c7530a2b92702e921e30269cb

SHA512
97aba924e209518afd53b3346837fbe72d689f60fc81c8bd7f2d91d73c984a049f0b213e5702b35598438a2f4ec4395d459ff58485a788285fd5a9aabdfd2af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMcw.exe

Filesize
206KB

MD5
60a1347624a1775d010bf73d71a0eb63

SHA1
b0a5c13db7912e49b92b05e4babbb21cd8e2163d

SHA256
ac2b208576496a9d4d46e14ae6b6e5436bb529e8dccd24a9da3aad3b38e476d3

SHA512
ffde9cff648a8721fb7e297abe22a01395399973abedf52d91d507b1a4661620ba544d3e201c0669b238372fcb6dd19c1934fd66237d994450e894776f691510

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsMS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwcU.exe

Filesize
563KB

MD5
77dae3fe858b1d9f7f90618d34618803

SHA1
586602ae8988f1d3e8f2065b8e29c2718b2ba681

SHA256
5cab9e8afdc0738d68ecdd7740f04da67c331389ecf1ceedee1b15d1a60bae43

SHA512
d3d08a5831cc1f82f6d1a4c1d2df3489bc69c81f13fc9e883a6cb7a7af900136e133d39fb5c440b189684d8701472bb730afb4463f8a63bfdc54efe8a50af650

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEG.exe

Filesize
190KB

MD5
a39b7f1be326933975986c4d16a0c8f9

SHA1
72f0e01c8b41c63335d2b6bee26446adca9bae74

SHA256
164e65486660eebb7c735d8782efe024be28bf7c01385a5f241b2caa9b9e11e9

SHA512
ec5094ece67f3f0b085406d553b0da209b206a6c7a06faa5e86d4715714a5ae86e8020dde3f29c0cc1dd8db7a8d34250bb2f8c30269427a141bf546aa3a6689f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUYE.exe

Filesize
719KB

MD5
2daddf6ff2a27379ee3e271139485b18

SHA1
504d1c5b613b0914ddd3c490d3b937c2e288240b

SHA256
00e1ec9519f91f7a7679b59a9670be823fb47ca8dd643b5c98307f83e802cef8

SHA512
7f6818ae2e3cbecd45d2e0e0ac031596758907947e38be9e3c581b355affd6b76c644a58a91ae63f059561a4f79fad5666f4a34743e43c6c005cc74ef3fff11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\losO.exe

Filesize
306KB

MD5
eb7b418f711da3959650f4458b20d27d

SHA1
eb3a152890f573b105a77500d021ecdab05a2e1c

SHA256
f6acfd70074751ba00ad96fcee18b22b8f27c0542ff558c3aca38561e2362195

SHA512
bf562cc6bb3e0b93987c6479ea322c676d1ffd3a7e835b5295dea985cdb3e5c1074175a6af8ce86dd4cbff9290310e68bbd113a42613c04ed7cf12f3c6ae0a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lowU.exe

Filesize
199KB

MD5
89be5e35ec7e9fc9a215fb6ee6f15c02

SHA1
3ca3fcde7b09180b3163c6ae60d98e93059e267b

SHA256
14936cf357ec80ba5d149192eea70e738d19127819631b1cce500fc0df39573a

SHA512
dc77cf4b7458de5678b3fa95ef4f0f6efba2fb677d695ae123f22fd5b3a0fdbd4de595c8719eeced6aad552f112a8b54922f36854d9735cdd0321938e78e547f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEYW.exe

Filesize
191KB

MD5
478fabccea924425af5acf80e105680e

SHA1
22c725bd5e640b0facbcf7cd6bcbed6d0432864f

SHA256
08d33519ce2cfd9dc3613480d2713e4e5b1bfe478228af0aed1a516063259439

SHA512
e1d239af782e17efd7ae2a2a79ab2971ad695373eb4be861612ca66b176604423e52992f0d15740d2bee8e7be547b502e33355801b7a054486c786b2189605c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUEkgccw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngIm.exe

Filesize
5.2MB

MD5
69a1a54913d6d7262722b020c9a4a08e

SHA1
817e1b8e9fd067dd3cc3ebfe6910dea4d491228e

SHA256
aa7543ed59d901d0f6f7dd9fc5272cd8f91f0c8ea4a142a9b953faa260dd0a99

SHA512
4e9db5550a71d4c832289092045a0408c12af0e3485879bb5983fef5a17dae82e945d9442e1cce0f2fcdd900bd56e08c4fbfdf6d1ecdb1eb7e0db30cf611700d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngwo.exe

Filesize
188KB

MD5
b21e3c63ee4b3059a93c11e561c25b6c

SHA1
378fb7f526bc878b7f1642c053697d74cb144d4b

SHA256
a92e6c7c362f99b8b6d7f46e4835b7fa61bd9254629d2904495289822b7239e0

SHA512
5589c41d3df5681745122bf44c9c64a91e045661652ed2d025bbec883d6a4906d79ef05c0a9d6b45cbebd390cda366e88fa9b047c92ea15a43970ab776d3a7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\niwoUIgI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkcY.exe

Filesize
404KB

MD5
399625fb9c250c800c38a07139f7e714

SHA1
4f4517f934888d7e862b4ba87151a045c7f08277

SHA256
9f38ad43259508ba78b2385f14aa86e4eddec1dd81ecd8e44e60243a20c9d6f9

SHA512
de8db7f2c74bc108b6a4e7b76ba7ede35a7955c5ae8d13d1a3a105d7ecc8ad3308ff86a7846d30700a5c93e7e9c52e1624680d7c7b48ee738241420e93af7e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsEC.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUcQ.exe

Filesize
234KB

MD5
b6544f6f6034ad51df4bf7325bd8829a

SHA1
5debe3d13220a1829d49ee43b8d31893472f5dea

SHA256
de18b27e60e024a123f7a3dcd7305116bce6d9f7613e3be49876da276b26250b

SHA512
4177938d10e4485935567ef071168fcfeed5d421b6c1fd4ebde8ecf12433fd3f18dec1a10e7423dafd0da62dfdc17aa7513c6679ea47c62bec38ee7c82b962ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYkS.exe

Filesize
192KB

MD5
077806667f46aaab59acaca241e3185d

SHA1
e5eb003849ead26e491b4fdcf4811b98f28ea802

SHA256
7b24266fe8d5c7b7d12ff7fe2a7c379da68afdfbb1b6feec5c4bfa785502364c

SHA512
95b765438f252cd5d83e4381bd9416ff4d6e996205db75f83d117bf68598b988a0dde4eb9aa8fcaaaa50de993fe8c706ac0a267b7f356c75d256cf748d3c8ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUa.exe

Filesize
199KB

MD5
00f5ecac8470a9670844317df3486788

SHA1
438c05d46c12319619d6b5008e5b7ecf28834521

SHA256
d5dcb0001b16eb51f2a73f0140deeb45cb505e434e2e003b99efd6cfe8c9ed14

SHA512
78fbd24e18e80c5fe5e666e3c1bffb1970b889be978136343f0cdd18d1853020490c4539bd139369d9100d2f13f1d7b84c8b45cb1d1c436ad8b38a246516a0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcsQ.exe

Filesize
501KB

MD5
165da9fe5c2d5bb039d96aff3467a592

SHA1
772ee8811edd5b69c2bc86ba1480d97c7ca7ae88

SHA256
298e1bcc47c881fb582bb5271849dd1480b3ce5ff5b5ddf20635fad8318aed0c

SHA512
ac39e9b68b96c647c6dc6c18061343157b53726084b0df21648b8094e957f90466f6ea97e8aa726672d88a72b0116da06f0f3ec1863310ce63fdef2c6bc84317

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUgQ.exe

Filesize
596KB

MD5
95f35625aa0f8b959324b277b240fd74

SHA1
2b3cff8aaaa9ba865010d93ffe1bc1186dbc7a91

SHA256
a621c2ffdafa07723b701b565e2bc6c857b189f5a45564ac338d1b8cd8297ac7

SHA512
e22e07a76f5e1eb91c70e1f8eb3e45fb3da99aeaeab7f08c26bc43af5995dae93dec32bb3828a7ba46d0010c98040c8b39626a78236ec3cf0be939507d6e6254

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYge.exe

Filesize
195KB

MD5
e591ce818c90a607d2995b1e62fdef54

SHA1
bd7b7f497b8e4ab7be6834834eef710722be792f

SHA256
7b3682d67755408ed5703703e45b344d8832bbe9dc96757bafe4bcbbab1fef62

SHA512
07f3e845c96111301b3156ebb55fa7493be13c4eadafa7e627a47b23f1a468d59ca4f16236a035f828c3383ce09f2649ef193d684ffb8c808004123161facf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIoIkUsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkMy.exe

Filesize
206KB

MD5
b6fb11838a836e03475ff471b2fb7a0b

SHA1
efcd4c6f2142caca64e812899cfa51f60b2489e0

SHA256
5e59a8dee608b9d6bec553deb7c572dd1a22487a0c63caa327e657cc9f72d67a

SHA512
57f9fa075940c0f39624df241fefd44d6fa6b22b9be01c393ee5807bdb5c7d58a5e11ec713e724cd01bea499da66b0048d9bab55527018ab6f282e85fd65f441

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAYy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEI.exe

Filesize
191KB

MD5
ab97597cd717d9fe2ff3c888d2eccf96

SHA1
e47379b4302045126f5578b0f2beb8e7d4332bad

SHA256
5b0c99b22f147e9af014edb9ba936a66e7e01abf85f7c91caeb3c83ab92a46e7

SHA512
fe1d51c075965b6e5c57f2d747cc6e12d18ecba4680714e5fe3bace55ef9719bbe52292be205bd613aeac3172858b25f1a292435ddaba916a42f01f280e4cd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWkIMwQo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcMk.exe

Filesize
192KB

MD5
814abdadee3e062619ee571f8e4828b1

SHA1
4ae9ae86e5ac01abc24c52411d2e802f4f24c143

SHA256
3d5389c6c18a255a7eaa3a531dae900058d30eb95447b0fae8e3328bb4ca0803

SHA512
d5aff95e89ad0d1533117b29e55d4a0586ad15b81f5b9b26756c36f4a4c588f40d0c8a648a11e16572ef2e43328ab0e26b961d881afb0e24afa7993884f945fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkUe.exe

Filesize
197KB

MD5
f25a505340fbf3878fe330eb3c376674

SHA1
cb7b533d0f45e8610bb99e3d13d01597478fd0b1

SHA256
e1507bc68c8e5ffce3ecddd55a184cd7654c522a200f15e6d127392c851c81f4

SHA512
cb4ed5182659e8aa553167a309e5eaa4bd2a9a48e9c66deef538b6818ac6a31c25f21bb2d39e639ad91c1e5c1fe3f867a84305e9764bef649a1c4b1368eabba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tske.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEAq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucEM.exe

Filesize
530KB

MD5
147c11e3a9c62ab11ac0e50ad8f4e841

SHA1
ca0c1380a1820d2b6dfc4246e1566df1c18ef2e1

SHA256
9503b47aed878179013d3ce01df8d52be711ecc9e524b11c994a02b85d2c11d9

SHA512
92174ad424f985a412c0247a0b220246a4a832e8a9c952a2dddbf3d2b2d2b15574b9d0a1d84683c83542b09cd3dd7eaa867e7d7556cb0ac6cb01eeb975f894dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwIA.exe

Filesize
202KB

MD5
3d498b0b42ea2b1fe6c844e66ed37cde

SHA1
62cc5281f99cc1a8213089782bd38f728d249b95

SHA256
d3bcaa7db5d1440c6668ab4dd3971b92924167007fb80bdda97960c9372876b2

SHA512
3ad79a2864af6d020e0398f94643fe5ee2c476cd40aff7fea1c4b4ab91ca9ce39dd22d7feccec8e41eafa04ba051fd7d38caed810daa0339278da8443738cd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwYwMkYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAIS.exe

Filesize
192KB

MD5
ee2e39ece2953f0d0d7bd052c1ff9d65

SHA1
cbca77871d0c21a1473bb91be95d4871e7d6c2cc

SHA256
3b39e8779f8303392f37e9c057da62f98becc08e58cab96351bf8d1e3044fd41

SHA512
67c652ba083b8403c5100cad2d0b6b203c502bbc5f05fe68350a94d0f89e0a3406b3420ae4db82e70140990b7c6142c7c244cb9b0f90d8956a670be2862bc046

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYEq.exe

Filesize
205KB

MD5
0f7ad293191bcce2d268987b0057b4fa

SHA1
759d9fb2830937f38b5cc76dce4a68df7822547e

SHA256
24a27e3067c3a830783a42aaf621a7cccc66b8fbaf5fbb6f4081185b036f94f0

SHA512
ba32b1f309264cfe1b893aaed9e38020405aee02b7b77b27b3a50cca593ae84f638896db1f3f36117b7b34c230f7f6904b2e9e856b813dcacc38b68e9928f492

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEW.exe

Filesize
199KB

MD5
bd3370a2cbcdc912cd953c6f22dffb9b

SHA1
f36399049c1fbeb5edfff8c1f230263f094ef3dc

SHA256
588857f84e8904338d395158a280db4ae3fd0014926f1318c41a5660a403c469

SHA512
60b07cef555d285b95639b1af0c35896e622da05da45409d60b45e941447c2412e61abbcb9d26e2ef0b0d383e494a9718b894c6504f42ac4f41cf5428fd24914

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkcu.exe

Filesize
207KB

MD5
b5438c0f3d81d1d3503ea04b33093169

SHA1
0d153e5b301abb8897038472a61c8384593c645d

SHA256
93ae8548e7fc3d8eef13026c28da3782d51feb0a221762639c9eb79a171b0c3e

SHA512
7a8f3be6a0ea8e18e44f192427642e232b89ea15404076a3749988094cf53e561ff8802310e232762e039214c0c124b96a265b701fe34acb5700320a1df95cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwMe.exe

Filesize
629KB

MD5
59cc00411a9dd1bacdc19c9cc35f24e1

SHA1
da5fc4660a97197c061bcf6a031609b4ee9406d2

SHA256
f726db24a42411efcd750e9cac33de8071e7b2e4fd5ebc6d51cf15ed6ee569e7

SHA512
f831970f40632837e87865ca80939a662f320f0bb2228d78763c753e6fd17c5918a673b84473898d383c031b0f1035e870a8e3a972224ea5f71ac665d32fcf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwoA.exe

Filesize
182KB

MD5
c2e39f4d279f7a5d5ba79f9e11fc3b08

SHA1
34a66fbb94bee9c1468dabdc8486b9dba37a11fb

SHA256
345944977ffbcb9d4016d6511161335aec3a3d250aeba66e4b87cb18ddec2299

SHA512
0d22e6278fcefd634d387335b981425af68ddda274fe9f0cba49477d62e2da24b781ee263de9c7508db2d8efce66789466b2fb7e91c6df57616bc614245b8368

Download Submit
C:\Users\Admin\Downloads\RestartRedo.pdf.exe

Filesize
1.0MB

MD5
4d2a354a8ab8be6690c219686bf7a476

SHA1
43c8475f43ef64ab52d7ccbf6008655e599548b6

SHA256
aeda61c7329bbef87aa4b8515cd9f30c2e0bad8e3eadb56c4516786c195935cd

SHA512
23ceedddc36bad753e99eae77067c82a66d746efc99e5bd6c65c23622fe9802859e1cffafcf1e2ecba635e4cd8bf5ea401a2ec16cc26e8eb344f9255ddeac899

Download Submit
C:\Users\Admin\Pictures\AssertSuspend.gif.exe

Filesize
629KB

MD5
fb076b6f0708173e7aa77bb72ef46d09

SHA1
b9da7796a1fb05c2771ac429bf3219ad27791027

SHA256
a9e77a412abb1b6c4eaf6b267d4830312e84993cbdb833446ebb37a7c5372027

SHA512
36e4e802bce0d28a5f33bc5e94ba8532be1a993ced3a522a4545225f30835a76e2402e18ffdec05211630c6302605d680e88c694ecd80eea07b31b693f4b0c72

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
207KB

MD5
8929273ca7e79f4aa44461dd681f7f4d

SHA1
cd1d8d140596645f4c9db697848d20315d65defb

SHA256
d3b9623d486abe4c2337c32875349990cc56bf26f134a383ce5be6c0da7384e7

SHA512
0725b744b837ba5e617b7205e84fd63f421df1d2479697ee64355c081f84dbe62cd23672c9e6bf6a84db74cec5b64856ff18a00e3626d909dd5d937099efefad

Download Submit
C:\Users\Admin\rMEsQYsw\ZwEcAgMM.exe

Filesize
197KB

MD5
0e38f944f94e95f13b252607ff7a3adb

SHA1
d31f318fbf6481b7bd80bb1432c2148713f94be2

SHA256
58ef88de25e3b8277ea6bdbd0b81ee4692d3274fce453d7ad894fb1a3cc27cdf

SHA512
6a3d1d8dd384e0974d7e760d60a0a10836cc4a00cb69e0f5fe8090d6b6186e85da4d310077e4bd95e69cda0015ec8b8792fde39fe381f21e94fcdb131172cde0

Download Submit
C:\Users\Admin\rMEsQYsw\ZwEcAgMM.exe

Filesize
197KB

MD5
0e38f944f94e95f13b252607ff7a3adb

SHA1
d31f318fbf6481b7bd80bb1432c2148713f94be2

SHA256
58ef88de25e3b8277ea6bdbd0b81ee4692d3274fce453d7ad894fb1a3cc27cdf

SHA512
6a3d1d8dd384e0974d7e760d60a0a10836cc4a00cb69e0f5fe8090d6b6186e85da4d310077e4bd95e69cda0015ec8b8792fde39fe381f21e94fcdb131172cde0

Download Submit
C:\Users\Admin\rMEsQYsw\ZwEcAgMM.inf

Filesize
4B

MD5
f469eb650ce0b70bc55ef6c8955bdf49

SHA1
bc29ae0ddd0591ba1e0ff0c81353fc49d6aaedcd

SHA256
2b6a9e18a4392b2fd2e6636f7065aedab07e9a15f2f1aa6821c493af5c294f1e

SHA512
d46d64518a607199c2254a8d38c33d642867e8a49e20ab96c5e217ff79b8dcd83da069c24be0349cc1faf21a8f1f32cfb83682f18ff966a2cc564f02d6c0e9c0

Download Submit
C:\Users\Admin\rMEsQYsw\ZwEcAgMM.inf

Filesize
4B

MD5
3c35f40d167af6ad2d1b115e60dcff25

SHA1
d3f224e51a14ac8d2ff8bc2f54c0e5cb9e397a8d

SHA256
dca1eaee84166eb29ea0fc932ad7d815773e98336e188a5ed9e2dce6132d87fd

SHA512
5796d7a43f2e0fdb45dff18e8dd25ef013720417de506ecd7d13f48978b9ff39f86427e807384929bcf5d0ec0660d179070a95850118ecb5dcc8dde9b76caf06

Download Submit
memory/8-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/60-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/60-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-611-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/524-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-619-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download