7419095325efd38397dfafa713e196ded539052f4a86459b56da1b1bd2701dc6

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84a996a9c0a556exeexeexeex.exe
Size

924KB
MD5

84a996a9c0a55690f93766fa618f35bb
SHA1

129fcfa22a88e34a3f2f45aab10f053c84374034
SHA256

7419095325efd38397dfafa713e196ded539052f4a86459b56da1b1bd2701dc6
SHA512

3cbd9951b62f92d44813fcc1c9a07f59cad6475c261fa6fb26501d6c0a4a431c0102e5259b31e356c49387a3dc67c89320856d0c579a0d947fe8a04204403b69
SSDEEP

24576:82NEVgJ4EJhUKfP0Bkd45aKEWXCUgDrMwPpmELy:8EjJVJhBIkybSUgDVhL

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wmiprvse.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\UseMount.png.exe	zWYgQUMA.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	zWYgQUMA.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	bUgMoQYk.exe
1956	zWYgQUMA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bUgMoQYk.exe = "C:\\Users\\Admin\\DCsssYQQ\\bUgMoQYk.exe"	bUgMoQYk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zWYgQUMA.exe = "C:\\ProgramData\\yuwMwoYA\\zWYgQUMA.exe"	zWYgQUMA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bUgMoQYk.exe = "C:\\Users\\Admin\\DCsssYQQ\\bUgMoQYk.exe"	84a996a9c0a556exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zWYgQUMA.exe = "C:\\ProgramData\\yuwMwoYA\\zWYgQUMA.exe"	84a996a9c0a556exeexeexeex.exe

Checks whether UAC is enabled 1 TTPs 54 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84a996a9c0a556exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84a996a9c0a556exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84a996a9c0a556exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	zWYgQUMA.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	zWYgQUMA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2240	reg.exe
908	reg.exe
2752	reg.exe
4412	reg.exe
2524	reg.exe
3384	reg.exe
4280	reg.exe
4428	reg.exe
5092	reg.exe
4836	reg.exe
4432	Process not Found
2904	reg.exe
1588	reg.exe
2168	reg.exe
312	reg.exe
1332	reg.exe
4320	reg.exe
4568	reg.exe
5012	reg.exe
848	reg.exe
3864	reg.exe
1036	reg.exe
3228	reg.exe
888	reg.exe
2012	reg.exe
2316	Process not Found
4856	reg.exe
3764	reg.exe
3880	reg.exe
4728	reg.exe
1396	reg.exe
3036	reg.exe
816	reg.exe
3524	reg.exe
3088	reg.exe
2104	reg.exe
4236	Process not Found
3652	reg.exe
1236	reg.exe
3404	reg.exe
1556	reg.exe
2032	reg.exe
4576	reg.exe
3868	reg.exe
3448	Process not Found
4896	Process not Found
4252	reg.exe
2356	reg.exe
3452	reg.exe
2752	reg.exe
1516	reg.exe
4216	reg.exe
5104	reg.exe
1692	reg.exe
1992	reg.exe
3164	reg.exe
220	reg.exe
4908	reg.exe
452	reg.exe
4184	reg.exe
3688	reg.exe
3256	Process not Found
4460	reg.exe
4412	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	84a996a9c0a556exeexeexeex.exe
3764	84a996a9c0a556exeexeexeex.exe
3764	84a996a9c0a556exeexeexeex.exe
3764	84a996a9c0a556exeexeexeex.exe
3356	84a996a9c0a556exeexeexeex.exe
3356	84a996a9c0a556exeexeexeex.exe
3356	84a996a9c0a556exeexeexeex.exe
3356	84a996a9c0a556exeexeexeex.exe
2548	84a996a9c0a556exeexeexeex.exe
2548	84a996a9c0a556exeexeexeex.exe
2548	84a996a9c0a556exeexeexeex.exe
2548	84a996a9c0a556exeexeexeex.exe
1980	84a996a9c0a556exeexeexeex.exe
1980	84a996a9c0a556exeexeexeex.exe
1980	84a996a9c0a556exeexeexeex.exe
1980	84a996a9c0a556exeexeexeex.exe
3284	cmd.exe
3284	cmd.exe
3284	cmd.exe
3284	cmd.exe
3164	reg.exe
3164	reg.exe
3164	reg.exe
3164	reg.exe
2252	84a996a9c0a556exeexeexeex.exe
2252	84a996a9c0a556exeexeexeex.exe
2252	84a996a9c0a556exeexeexeex.exe
2252	84a996a9c0a556exeexeexeex.exe
3680	84a996a9c0a556exeexeexeex.exe
3680	84a996a9c0a556exeexeexeex.exe
3680	84a996a9c0a556exeexeexeex.exe
3680	84a996a9c0a556exeexeexeex.exe
548	84a996a9c0a556exeexeexeex.exe
548	84a996a9c0a556exeexeexeex.exe
548	84a996a9c0a556exeexeexeex.exe
548	84a996a9c0a556exeexeexeex.exe
2636	reg.exe
2636	reg.exe
2636	reg.exe
2636	reg.exe
544	84a996a9c0a556exeexeexeex.exe
544	84a996a9c0a556exeexeexeex.exe
544	84a996a9c0a556exeexeexeex.exe
544	84a996a9c0a556exeexeexeex.exe
3760	84a996a9c0a556exeexeexeex.exe
3760	84a996a9c0a556exeexeexeex.exe
3760	84a996a9c0a556exeexeexeex.exe
3760	84a996a9c0a556exeexeexeex.exe
3788	84a996a9c0a556exeexeexeex.exe
3788	84a996a9c0a556exeexeexeex.exe
3788	84a996a9c0a556exeexeexeex.exe
3788	84a996a9c0a556exeexeexeex.exe
2368	84a996a9c0a556exeexeexeex.exe
2368	84a996a9c0a556exeexeexeex.exe
2368	84a996a9c0a556exeexeexeex.exe
2368	84a996a9c0a556exeexeexeex.exe
3244	84a996a9c0a556exeexeexeex.exe
3244	84a996a9c0a556exeexeexeex.exe
3244	84a996a9c0a556exeexeexeex.exe
3244	84a996a9c0a556exeexeexeex.exe
4872	84a996a9c0a556exeexeexeex.exe
4872	84a996a9c0a556exeexeexeex.exe
4872	84a996a9c0a556exeexeexeex.exe
4872	84a996a9c0a556exeexeexeex.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1956	zWYgQUMA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe
1956	zWYgQUMA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 2584	3764	84a996a9c0a556exeexeexeex.exe	83
PID 3764 wrote to memory of 2584	3764	84a996a9c0a556exeexeexeex.exe	83
PID 3764 wrote to memory of 2584	3764	84a996a9c0a556exeexeexeex.exe	83
PID 3764 wrote to memory of 1956	3764	84a996a9c0a556exeexeexeex.exe	84
PID 3764 wrote to memory of 1956	3764	84a996a9c0a556exeexeexeex.exe	84
PID 3764 wrote to memory of 1956	3764	84a996a9c0a556exeexeexeex.exe	84
PID 3764 wrote to memory of 776	3764	84a996a9c0a556exeexeexeex.exe	85
PID 3764 wrote to memory of 776	3764	84a996a9c0a556exeexeexeex.exe	85
PID 3764 wrote to memory of 776	3764	84a996a9c0a556exeexeexeex.exe	85
PID 3764 wrote to memory of 4828	3764	84a996a9c0a556exeexeexeex.exe	87
PID 3764 wrote to memory of 4828	3764	84a996a9c0a556exeexeexeex.exe	87
PID 3764 wrote to memory of 4828	3764	84a996a9c0a556exeexeexeex.exe	87
PID 3764 wrote to memory of 636	3764	84a996a9c0a556exeexeexeex.exe	90
PID 3764 wrote to memory of 636	3764	84a996a9c0a556exeexeexeex.exe	90
PID 3764 wrote to memory of 636	3764	84a996a9c0a556exeexeexeex.exe	90
PID 3764 wrote to memory of 2524	3764	84a996a9c0a556exeexeexeex.exe	89
PID 3764 wrote to memory of 2524	3764	84a996a9c0a556exeexeexeex.exe	89
PID 3764 wrote to memory of 2524	3764	84a996a9c0a556exeexeexeex.exe	89
PID 3764 wrote to memory of 4316	3764	84a996a9c0a556exeexeexeex.exe	88
PID 3764 wrote to memory of 4316	3764	84a996a9c0a556exeexeexeex.exe	88
PID 3764 wrote to memory of 4316	3764	84a996a9c0a556exeexeexeex.exe	88
PID 776 wrote to memory of 3356	776	cmd.exe	96
PID 776 wrote to memory of 3356	776	cmd.exe	96
PID 776 wrote to memory of 3356	776	cmd.exe	96
PID 4316 wrote to memory of 4564	4316	cmd.exe	97
PID 4316 wrote to memory of 4564	4316	cmd.exe	97
PID 4316 wrote to memory of 4564	4316	cmd.exe	97
PID 3356 wrote to memory of 2608	3356	84a996a9c0a556exeexeexeex.exe	98
PID 3356 wrote to memory of 2608	3356	84a996a9c0a556exeexeexeex.exe	98
PID 3356 wrote to memory of 2608	3356	84a996a9c0a556exeexeexeex.exe	98
PID 3356 wrote to memory of 1268	3356	84a996a9c0a556exeexeexeex.exe	100
PID 3356 wrote to memory of 1268	3356	84a996a9c0a556exeexeexeex.exe	100
PID 3356 wrote to memory of 1268	3356	84a996a9c0a556exeexeexeex.exe	100
PID 3356 wrote to memory of 1692	3356	84a996a9c0a556exeexeexeex.exe	104
PID 3356 wrote to memory of 1692	3356	84a996a9c0a556exeexeexeex.exe	104
PID 3356 wrote to memory of 1692	3356	84a996a9c0a556exeexeexeex.exe	104
PID 3356 wrote to memory of 4568	3356	84a996a9c0a556exeexeexeex.exe	103
PID 3356 wrote to memory of 4568	3356	84a996a9c0a556exeexeexeex.exe	103
PID 3356 wrote to memory of 4568	3356	84a996a9c0a556exeexeexeex.exe	103
PID 3356 wrote to memory of 1424	3356	84a996a9c0a556exeexeexeex.exe	101
PID 3356 wrote to memory of 1424	3356	84a996a9c0a556exeexeexeex.exe	101
PID 3356 wrote to memory of 1424	3356	84a996a9c0a556exeexeexeex.exe	101
PID 2608 wrote to memory of 2548	2608	cmd.exe	108
PID 2608 wrote to memory of 2548	2608	cmd.exe	108
PID 2608 wrote to memory of 2548	2608	cmd.exe	108
PID 1424 wrote to memory of 3948	1424	cmd.exe	109
PID 1424 wrote to memory of 3948	1424	cmd.exe	109
PID 1424 wrote to memory of 3948	1424	cmd.exe	109
PID 2548 wrote to memory of 216	2548	84a996a9c0a556exeexeexeex.exe	110
PID 2548 wrote to memory of 216	2548	84a996a9c0a556exeexeexeex.exe	110
PID 2548 wrote to memory of 216	2548	84a996a9c0a556exeexeexeex.exe	110
PID 216 wrote to memory of 1980	216	cmd.exe	112
PID 216 wrote to memory of 1980	216	cmd.exe	112
PID 216 wrote to memory of 1980	216	cmd.exe	112
PID 2548 wrote to memory of 4460	2548	84a996a9c0a556exeexeexeex.exe	113
PID 2548 wrote to memory of 4460	2548	84a996a9c0a556exeexeexeex.exe	113
PID 2548 wrote to memory of 4460	2548	84a996a9c0a556exeexeexeex.exe	113
PID 2548 wrote to memory of 2032	2548	84a996a9c0a556exeexeexeex.exe	114
PID 2548 wrote to memory of 2032	2548	84a996a9c0a556exeexeexeex.exe	114
PID 2548 wrote to memory of 2032	2548	84a996a9c0a556exeexeexeex.exe	114
PID 2548 wrote to memory of 1176	2548	84a996a9c0a556exeexeexeex.exe	115
PID 2548 wrote to memory of 1176	2548	84a996a9c0a556exeexeexeex.exe	115
PID 2548 wrote to memory of 1176	2548	84a996a9c0a556exeexeexeex.exe	115
PID 2548 wrote to memory of 1468	2548	84a996a9c0a556exeexeexeex.exe	116

System policy modification 1 TTPs 54 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	84a996a9c0a556exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	84a996a9c0a556exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	84a996a9c0a556exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84a996a9c0a556exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	84a996a9c0a556exeexeexeex.exe

C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\DCsssYQQ\bUgMoQYk.exe
  "C:\Users\Admin\DCsssYQQ\bUgMoQYk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2584
- C:\ProgramData\yuwMwoYA\zWYgQUMA.exe
  "C:\ProgramData\yuwMwoYA\zWYgQUMA.exe"
  2⤵
  - Modifies extensions of user files
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        8⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        9⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        10⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        11⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        12⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        14⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        16⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        18⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        19⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        22⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        24⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        26⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        27⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        28⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        30⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        32⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        33⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        34⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        35⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        36⤵
        
        PID:3564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        37⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        38⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        39⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        40⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        41⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        42⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        43⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        44⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        45⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        46⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        47⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        48⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        49⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        50⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        51⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        52⤵
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        UAC bypass
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        53⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        54⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        55⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        56⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        57⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        58⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        59⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        60⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        62⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        63⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        64⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        65⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        66⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        67⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        68⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        69⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        70⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        71⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        72⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        73⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        74⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        75⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        76⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        77⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        78⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        79⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        80⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        81⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        82⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        83⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        84⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        85⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        86⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        87⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        88⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        89⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        90⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        91⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        92⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        93⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        94⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        95⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        96⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        97⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        98⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        99⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        100⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        101⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        102⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        103⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        104⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        105⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        106⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        107⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        108⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        109⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        110⤵
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        111⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        112⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        113⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        114⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        115⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        116⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        117⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        118⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        119⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        120⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        121⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        122⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        123⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        124⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        125⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        126⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        128⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        129⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        130⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        131⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        132⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        133⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        134⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        135⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        136⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        137⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        138⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        139⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        140⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        141⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        142⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        143⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        144⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        145⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        146⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        147⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        148⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        149⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        150⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        151⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        152⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        153⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        154⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        155⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        156⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        157⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        158⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        159⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        160⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        161⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        162⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        163⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        164⤵
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        165⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        166⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        167⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        168⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        169⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        170⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        171⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        172⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        173⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        174⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        175⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        176⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        177⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        178⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        179⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        180⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        181⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        182⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        183⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        184⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        185⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        186⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        187⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        188⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        189⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        190⤵
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        191⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        192⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        193⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        194⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        195⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        196⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        197⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        198⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        199⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        200⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        201⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        202⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        203⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        204⤵
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        205⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        206⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        207⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        208⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        209⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        210⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        211⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        212⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        213⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        214⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        215⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        216⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        217⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        218⤵
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        219⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        220⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        221⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        222⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        223⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        224⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        225⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        226⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        227⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        228⤵
        
        PID:2996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        229⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        230⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        231⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        232⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        233⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        234⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        235⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        236⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        237⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        238⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        239⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        240⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        241⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        242⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        243⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        244⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        245⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        246⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        247⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        248⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        249⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        250⤵
        
        PID:688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        251⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        252⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        253⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        254⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        UAC bypass
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        255⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        256⤵
        
        PID:872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex
        257⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex"
        258⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkEEQMwI.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        258⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suogYokA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        256⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaUsQIss.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        254⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGosIcgo.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        252⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQUkUYIc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        250⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmgQscYA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        248⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeokooME.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        246⤵
        
        PID:2588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JisQowII.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        244⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emIAEAEM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        242⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        UAC bypass
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgYAwwQM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        240⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqMYMEAI.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        238⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:3404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeYMIkgI.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        236⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUcwooYs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        234⤵
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWMwEIUg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        232⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSkwEYUc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuYUgskY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        228⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWkoAMkg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        226⤵
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byoUcgQw.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        224⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYkcoYEo.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        222⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWckMIYk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        220⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIAQscYQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        218⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies registry key
        
        PID:3228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        UAC bypass
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcAAAUwM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        216⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEQUgEYs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        214⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCEwkMIA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        212⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leYYEcEY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        210⤵
        
        PID:1132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUAQskQM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        208⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcQkcQME.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        206⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwIYQAgg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        204⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        204⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkEQocAM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        202⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        202⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqIIMcgY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        200⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UskUIoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        198⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pycsEsUA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        196⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmoscckE.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        194⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKssQQoU.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        192⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByEQAgEo.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        190⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOwQAcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        188⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmAMYQwU.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        186⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUsIowYw.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        184⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        Modifies registry key
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CokQwsss.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        182⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siUMoAUk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        180⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWYwsgEA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        178⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmQMoAYI.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        176⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGcYkgIA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        174⤵
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCMsggMM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        172⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        UAC bypass
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loAIowgg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        170⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGoEIkIM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        168⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        Modifies registry key
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lssYkIow.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        166⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSEoUkME.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        164⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywgcoMUk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        162⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECscUsYs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        160⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AasYckQM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        158⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOMAQsws.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        156⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIwkEYwk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        154⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYMgscgk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        152⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TikIEwUg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        150⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vewwsIcg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        148⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkIsEEII.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        146⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKooIAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        144⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKAQQYss.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        142⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsAkIAAE.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        140⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mioUQsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        138⤵
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAAIAQkM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        136⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        UAC bypass
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGkAQIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        134⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKEMIYII.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        132⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AycgEsMc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        130⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqgIUwAs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        128⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MickogMc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        126⤵
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmEUAckc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        124⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGAYgQEA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        122⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ligMUwcU.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        120⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSMMYQUM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        118⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGoAAEMg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        116⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LogoQEME.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        114⤵
        
        PID:808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAIkUAEg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        112⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leUMYcIs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        110⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAssEQcg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        108⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKswgMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        106⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyEogwQg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        104⤵
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        UAC bypass
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWAEYokk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        102⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCoAgsso.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        100⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AccAkQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        98⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOQQkEsg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        96⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgMAAgIA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        94⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYAYcEsg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        92⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESgMgMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        90⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        UAC bypass
        
        PID:3404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqkcIIME.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        88⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JusAkUEY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        86⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEoUYMMM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        84⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIUQUsss.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        82⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQkoYQQs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        80⤵
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyMQskEk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        78⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQowEAAw.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        76⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCsQsAsw.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        74⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQYEEQwk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        72⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMQsUUQw.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        70⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwkUgQUk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        68⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGQscIUs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        66⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKwwcsYA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        64⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYsMwwIY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        62⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGQIMwMg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        60⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugkocMEg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        58⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoIsMMEo.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        56⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGoEQkkc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        54⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcgoUgUs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        52⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKEIkwsI.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        50⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuEMssYo.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        48⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUYEAQgg.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        46⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMIUgokk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        44⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIgIQwYk.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        42⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUwAkgAY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        40⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqYcQUwU.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        38⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwogUMUM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        36⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWYEAgAM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        34⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCkwgUEM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        32⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCgoEUgE.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        30⤵
        
        PID:4784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KowwEgAo.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        28⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAcIsoco.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        26⤵
        
        PID:1176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQIYgcEA.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        24⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUQwQEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        22⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuEQcoIs.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        20⤵
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOkUosAc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        18⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQAQIkAM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        16⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCscsMcM.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        14⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqUoAgkY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        12⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAsQwMAI.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eswscoIU.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        8⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1460
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4460
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2032
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoAgEIQc.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
        6⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQwcQwYY.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqEUkQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4564
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2888

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Modifies visibility of file extensions in Explorer
PID:2032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
228KB

MD5
615de657f2ad84aedcbe3a3b38a31b80

SHA1
b4196df8fc6b9f7a54f85df2201cdde7919ba597

SHA256
3fc3d6e4b82d9a4254c8ec2a0bd064d47ca0b99dfce5f7bc5a9ebd18d356e124

SHA512
c71acc6a03511cd721399fcf75adfd97ec9f3384b59a860f9378d29cdbfa74392d5223433725afe358c3b24430c9f8a03c6a3f5ab84804f1b25fa12b20c228f2

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
816KB

MD5
7b6cbc178cad0ffde78d4ba404cc6495

SHA1
0a4138b8a81fee537f4904e14c519b4af4a95146

SHA256
34dc2f0401cb2519d89b145cb779e16299c9f2bd2c6a8f9598f7299962275daf

SHA512
9baaf6b908186029fc8ce4015b38d8e888c69e8a863cfb0c52dc54079758f63f6fe9e7ca6a92197c58b96fa2c49c026ac584e2f7d5ade8a6c72eb67e09c08743

Download Submit
C:\ProgramData\yuwMwoYA\zWYgQUMA.exe

Filesize
185KB

MD5
125569d5cee7fca327d47d4b525cada7

SHA1
5f61a23dfc7ad1612a698943d7472275f4d918d5

SHA256
af0f2a620f89effb4a77dcc8680ab024cc28cbf2da4db949a3db80193ff00f12

SHA512
3e5320d38f5cca24c09bb2308e718e15ec079c6f16d210b8a8700017218d36f36224074617f47cedf683ecaaeae948d04ff66be2666e97e8f108a1b8c6b50426

Download Submit
C:\ProgramData\yuwMwoYA\zWYgQUMA.exe

Filesize
185KB

MD5
125569d5cee7fca327d47d4b525cada7

SHA1
5f61a23dfc7ad1612a698943d7472275f4d918d5

SHA256
af0f2a620f89effb4a77dcc8680ab024cc28cbf2da4db949a3db80193ff00f12

SHA512
3e5320d38f5cca24c09bb2308e718e15ec079c6f16d210b8a8700017218d36f36224074617f47cedf683ecaaeae948d04ff66be2666e97e8f108a1b8c6b50426

Download Submit
C:\ProgramData\yuwMwoYA\zWYgQUMA.inf

Filesize
4B

MD5
278824e0906a5e54d2ec2cb25e4f7599

SHA1
ac16eb74d3c7e4a3c2dedc0accba285d60543a41

SHA256
3588b36b50ac5cfe6232871b2d2fab6ad9c1181274a91542b36e240696ad8760

SHA512
5b60bcafd3ef2c9d65d51f8cdd15776f741705f46b8f545e3be4d090ba206a3ccccd052898bf4b5c00f2ab568a80b8964b58412214ea5fb22bde6fb130ec61fe

Download Submit
C:\ProgramData\yuwMwoYA\zWYgQUMA.inf

Filesize
4B

MD5
60821d65c5c6d55bc301969523bdbbdb

SHA1
e512311460b9cdb18ff6bcdbeeea32b35c494596

SHA256
e75e1ce1d647bbd5d5fd2594fd9c18d46ef9d23a5700ddce6e57f03af9b1db5b

SHA512
f525cf5e20153b0e8f232a0fb9edc1081a1a08fca9b9ccbf48a1a3666e635c481d2ce6639e0882bbc2f6d0e80e495282b493edfad710b74e4a2c53ba69de2b74

Download Submit
C:\ProgramData\yuwMwoYA\zWYgQUMA.inf

Filesize
4B

MD5
d3685d14c497144e6140bb2474440ad5

SHA1
96dc28b42c8f5cc550e535e5c1458fe34259db7b

SHA256
efdd64c2a710132831b014ba9650c7706b1046fea054dc1659058b585b85a8d5

SHA512
a72482ab0fcae15dea9c4f15c9c766018e1a9017f9d4338c62d4c14f7e11569a74bf10f59c0998f39c522fdad70463d5dc586170febbd8ac0f05de680d28015b

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\84a996a9c0a556exeexeexeex

Filesize
742KB

MD5
74369361fd0b4da649e681ec7a0fd5fa

SHA1
354c34157dfe328c718b69e140ecaf1dc780af21

SHA256
a7c39d22a0c7d296f5ce6c5a1a141dc526ec1c3e3c7dcd3c499f692197c2d397

SHA512
f20260baa23ab9b1b4ede873d8a0c8a4ef98addad682b2cf67f3d1ff36e6de24d81903df0d1a8548165aacdee5b12ff839028c670f911825bbd316127ba64e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgi.exe

Filesize
212KB

MD5
81b4f962fa56ccd44921bc8507522d46

SHA1
de5bc83ba7fb0bd46c642f3c8bbd6d9c4ad9dc1c

SHA256
40f13611191d73c84d1a432d0ed416bdca7169592e6d37d73113f4fe2da0fad9

SHA512
1a2b5015febadae38f23f14940bb1f2fdffa35ead5272b62ad4df2a08f2647242153e2b9b74ac31312fabea8d887f125f64bf0b09c7b8671390d23db44bd7869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akcg.exe

Filesize
193KB

MD5
194772aea8845d7fd138640a393cd916

SHA1
1ec3e293b663c074ba02310bc1743521f9469404

SHA256
89477959e5459aff08d65f3279c007d28e4794c064382a7caec5dbcad6b34279

SHA512
7cb5f3756771a7bea78b0ea1f687ed0011eb6332bd199ecadb7d39c1a3df87c1434bdde70c513c88cafd97749050717de98452a21fd06ce6c1f3fd1f1c535173

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAMa.exe

Filesize
715KB

MD5
a8bdd1176c1b50c9378b912d4542cf5e

SHA1
b7a22ffb88705b8cdd0f1309f5b9133becf974bf

SHA256
d202db53184740bb78e5813dca4358c889aef906eb54765d10bb2082428bb1ce

SHA512
e9b70a381ea3e271470c7777d3a7dd918ce6d325e60c20958dc4f78829a4f862761f9fb4cc2bcefd330270e1c0afc2b2a9f8a66a5042f2e44e3074c0aec8aab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYgg.exe

Filesize
383KB

MD5
be1ff79bdaa12ced89152072c65962c3

SHA1
246e2aa5280d1c55dc956fb914d2bf287f8a8937

SHA256
37927efac282adcf26a22479a7bc0564d23048536f69fda180bea917b929d176

SHA512
3e111b9a7df7e72d324088c184818b8f914139ef3c6a65aa37c228df3c852476aab59653cc4d7d2b34bd681d2debd211ce7ba768ad6f5dc91e6010063cf284e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgAs.exe

Filesize
186KB

MD5
a53b6214f7a21d05512afb4d91b7da26

SHA1
24d29ac3d2cb599f750c01734e1cb3f1e3fa9e9b

SHA256
44bd97f675c21f297fb9c1732e4bce3711125ed90e60a12af4a5774d8b80333d

SHA512
e7a0a6e1bc6d72c6e1a15f3aee914505da84bdc831afb28d21e954d3d61c47c61813b1eb4935dea8a1a79ba359bb714ca9f7eeefa483bb48889d2fb62571f14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcMq.exe

Filesize
188KB

MD5
4fd3067c1f66a5bf67c3f4329f2df612

SHA1
6626fad78988cf53471b90380edc47541e3e51bd

SHA256
c41d250cf7ce2f919951638cf2cb6083a9559e0991a443ad17ad703ef09272fb

SHA512
83a5ebdc490ee669f5d913ef3a97286e0f03c5c2b60135d6160e2a6e55142ec72391f232518c086938b29e292f60538250e0a15ab3a1158eb251da08ae409289

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAIo.exe

Filesize
1.4MB

MD5
2057ff8b01b00ec08d4d1d983e547aa5

SHA1
7f7726afac371ab8334f58d000047aa3283dda4c

SHA256
c86cde4bf89c11afbdfce1086a46b3b5337c72ab3e40a4803bffbd63b34bfba3

SHA512
760bc655f048e20c2a9682acc4c590ada5504b909ae5700434279fc7ad0f5ac673656b4f0b3f6b8a0b7a863fdb1acca3774817536c847147bb87454ae817a4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAQK.exe

Filesize
5.9MB

MD5
fe7453fb475eb3583168cde1868f5031

SHA1
8f834481096ef31045a1f7ea638fb1c74092332e

SHA256
ffe3f202e915ab98ea2cceca1c78d00509b5251c5e820716fe931ec07f508c54

SHA512
b7fb8944ab23a17d64a0f0ee616eb8710529c3b7f33d3d78da9e155eaed2c79ea69f10615f1ff91bbb602813b1c10dbb9ff34da6c958625466ca69583247ddcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIcI.exe

Filesize
995KB

MD5
e783d020471f67a0f041effa3e448b74

SHA1
797c26260421d92307efc0e43b8a7a9ad63748bd

SHA256
132b232b8f8c4fa8ea5decf028b233d73f45b06c05c239099296b88fbd891a0e

SHA512
9531e8aea1124aff39a46fc37eee092912c1765cdfa99584b338906266eff2521e778cb279d463a32f8815bcbc2a3e5a52930d6839e09f118d50b51c5791b4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYQm.exe

Filesize
181KB

MD5
b7a67454b60775a042add6b05780de9d

SHA1
9d49a66f3e81e7c59d9d23d0fb6e24a1a9db7cb2

SHA256
07f2fd3ac837f0f82e32c568ffe367279a612256dc305f04b7bb4b58a371465c

SHA512
a98ce185afa0bef116908d42529a22c1c566e7dbb986fc96e63afc18d7de4f2d82b2fc39ec4b0677b1db03d437f8a04937e92e99b47eebfde2d6551d8cb5d7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkAE.exe

Filesize
199KB

MD5
b40c01de80e5b121ce31958a359c912f

SHA1
17d87d25d5172559f6bfaafb442559d3b25d002f

SHA256
4a064f217950b919782e683cb94a2dc6475597a72118d4fb021fa5c13cbf15a2

SHA512
7c46e30f759ca905e0a6e3aa7ebee6c48d97e66b1a219076a73535066c69719c6d1527f592f97327c4c50f8c9d0a29d8304c04b99b16503b83b9edb6fe1d57ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsYE.exe

Filesize
191KB

MD5
603285f4d1cf154bc3ab7f054e72ea34

SHA1
fa9902bef0f5db6e5308b21b63f3b3238f2180bd

SHA256
def2e5b962ae259ba8a5259b62eb7dc9c47155f3ca5c48dca6a8dbab6938a253

SHA512
d0b97d6aa75814b6c2dba1be90a8d45ce61e448349751ce0d6884b1e39c5767d07f9b7949b397704b5c8b547f61c17bdd2a971431aa72554d1cb5beabd6462e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUsE.exe

Filesize
5.9MB

MD5
9dd0c8d7e1d51ac5643e590134d71e38

SHA1
09fb634e82eb5f5cb4844b5f15d00b46d9137351

SHA256
2c2062b25683fe6952dc3a26699ffcd2315d352ea52f13332e88a583619d9f94

SHA512
4a512c870b1a10d027289cdb19737a6337a5b80fbf9ce3f3295881a19e4df54c9e4f731cebdeb738d1a5be25b6724b7cfdfe208501ca0face0dc1110491b1908

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwYM.exe

Filesize
218KB

MD5
b2fdfd54dcb484bf2b1cb7fd43302206

SHA1
565968415f5336993a485133d69b864286813dd7

SHA256
3098160c24a8443d7241d96e4c42bac3ad74501705a84a0ee0c3b8c901dfc866

SHA512
0b1261d5a2da8c4c0a8104e1399cb1ffec3bd37af5bbd100d9d77d9fdc129eeccf0223d6ec424b23a6d99c9a1be80abf377488ecdb3ca6e8417da0f4783a22fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAcY.exe

Filesize
195KB

MD5
7f5bbbc9b5e7481aefc256197be4fd3e

SHA1
4334a4cb813f5476b49412d5f712b3386b60e630

SHA256
c97b070f1783356eb976336dbfe5a43a674df625749bcb847693dcc9880be3f9

SHA512
bd5e5d0702c36add207974476266c958e7dbcc10365beb41afec1fcbdb8dafdd3325c78e826b23a20fa06c91ace03520f2380af03ae1b6c726bcff9853b62044

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcMO.exe

Filesize
187KB

MD5
92f1c947b782a213e60b2ece215d4442

SHA1
b5c0472a19ad1c71c3cd1e8e97d14581333192e3

SHA256
03e65e5abb61741b0d7caa0f1a7bf8e8a26fc6dc7fb3299ec8cb527e3ef550a8

SHA512
a8494640c5a0bae24b3efd563c9844492cce08f420ad2d349d854255ca791dac2c8ae1e455f5eb09abaf5a2f0fbde90bf4d695b58becff7805e189549064f74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KowwEgAo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIkY.exe

Filesize
219KB

MD5
ab5322b4d258b918c8c34cd66fac2083

SHA1
6f7e1c4ba4c35b99801f8a8b6c4e07b026ad1026

SHA256
a5e9ddba4bda7b1ef9166fb70124ac12f41ce56a211ba6c0a359bc01ef1eae60

SHA512
9d950af68a4311fc9e2577cfdd36c6fc2ee8faf815e2e9491454fcec108a50949258eb1536b9b489c705cf581017114a39f6d8edb6ed6070d922de92f8e89f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMYU.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQYO.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoQc.exe

Filesize
209KB

MD5
137585d895ec731514a4531ccb7eee0d

SHA1
e3690869b319e237ec627dc40a418a7d4c1c4011

SHA256
62b316f449cfd5624fb01a85ff9daddf1038507c6532d77a46e8887694508f9f

SHA512
7f26bc08ba9c95deda54ed154338e90caf76c91aecf6b5cc874e21aebc593b6117a369d55dae22ccd3aac100635230314516f2a44a5e7918cfc9a5c80666cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIc.exe

Filesize
635KB

MD5
e8c4c49562778f3f2d1c3459fa7306fb

SHA1
0fb9801f3f6eb329cf001d90152246ea4fa79084

SHA256
1136ba6b4caeea7df9efa1ccb71916950f20d378bfba581be1a6a4a3f9e54e3b

SHA512
f0c03919d412a880d26d5c512b9f941790506af0e3dab7ee4f77d26f107d560c61979214c8a7d263f4c895a92c10a6f0f1ceb8f70772a205767af16026270f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgs.exe

Filesize
213KB

MD5
18f0f9369b11a22f42d783f7f5fd295b

SHA1
fc3967c16467a996e5c2a4bcfeddf8d722f81ce9

SHA256
21b8da3b3cca40deba37536636912a419f556f052a6f827d293ab5e11f4b2dcc

SHA512
b37b3ce08332842531d904e478babe2fb285bdf2f3c0b862d11555bd97e7f44a43d4f57f92f68751885cb59dbeea8fbee471ac236dc91dd294c8d2a1d0881fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoYi.exe

Filesize
241KB

MD5
d23194dfefcef1d3c0b99117d971ec95

SHA1
8ae6170a31993fb19e3fca1e3f449c95a28f0369

SHA256
32c97381e7731444abf4513ed165fab0ded656c298e0bd3f751c8dd745794226

SHA512
a14690a943a219d496f0d52f43b1551beafa5dc2deb7756bc222da1ea00f4f4cc0403e2225675aec3b22604ee44bf40297a3bc3e4d13188c96d46a1cdbdb56a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEog.exe

Filesize
182KB

MD5
dea86ff291bb886a7df58baae52e2e29

SHA1
478d0cd3d9394bb2ad2c68521632928743126f6b

SHA256
4ee44926624039cbdcd6d8c104175419d1911dcfc9e1e14ac41e5c4d5a3f0275

SHA512
aa952ca53781374b7fc0a37557728c2b20bfd572cc99a5112294ccb930c22eb5b2f894baf51bcf52ad2370e7291cfd09843c2c6e5c34c9379f7bb9afcadd89c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEog.exe

Filesize
190KB

MD5
a707bdd070b559b242af1e0a7e226302

SHA1
eeec445d20ba26cf433381e89a35d899c6b36cd2

SHA256
87457ea7760f6e6e99f7e85492b8f2d2ddec04d86c701019b63dde32b6bbe74c

SHA512
45c34402efc2f02d78e82ad321a8b36e65300665ae601768b64dd0e1fe41c59f815e537d3f988a082411f1a45f8b32661eb3abb83ed1f82aad8ebd5f9b4d3fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQwQEsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwAG.exe

Filesize
195KB

MD5
779c45e054b26abc9ee59c5336872344

SHA1
f53c9fd0d73e3335f5ecc403f73cc1c0478aa6bf

SHA256
7b0fd8ec9ceb8aac8574e4291d67244207275991efd758897fff3c4180ddd178

SHA512
c9504d2a70856800bb98f5ee1a1189f3bbd4b28cdd86adb73be2e5059b3a4efd2c32a1287f3d2121ac361251f1d28a5e3f0c303c5ef952da91a3d4aa6b74daf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEU.exe

Filesize
657KB

MD5
27cce9c87596db04d14c99d842076bc9

SHA1
2c6e94a7229c8db052cfe50b21c0e406a5372540

SHA256
0a4d36bea0d01d7bbeb89f2dcf12d6fb1974517217ed6e32968370294429a34f

SHA512
38467d144deb29827cd5a38e49b4ea30d2e7c265a9c1d4b8b3de4cdd4ce526cf10c9c0df669024682dd46dd71db419aaf7d1e17a016614b03e3cdc19409d3dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQMs.exe

Filesize
541KB

MD5
0a275d37d50f165536c7a049982aac36

SHA1
5454b99dd335e9fbd4293b81ae44c6470c7db59e

SHA256
ca432374acdd5d5e5ba4c6c0833068b7d354925f2a0a201bb3c10a78298ada94

SHA512
ba9e01560e58241a365d352eb23abe7bc61fbb2757aeed5d222527489de1c5e1e2f7881de4d3a7e288f344aeae10c044270c509bff0769ec785b00dac60a06bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUUO.exe

Filesize
1.5MB

MD5
6814f4cf12c1ebcb9ea5952f71485c51

SHA1
d1f3231d09795010953edd57ed9f6652654e1824

SHA256
06a99dd55e93e823ba3507ca0c131712646b65f61a8d710ea0cf9f3d22f10e07

SHA512
ec703db1eb4f14779d9d8ee6d809ca81b7b271616d0af0e8d0e849c2f4dbc1f02a1d3fabd849222a6e53b1ad1cc29a934391a8e6b38d8f32b0d2de6aeae3d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUse.exe

Filesize
204KB

MD5
7fb039da2e444f5d9d4d4745bcdceddb

SHA1
1d5555b2649fa5e711b8fb20c378bdaebeb1f937

SHA256
d4c74343b38505188a1c963c9a0f5075b704bb74379dd92fb067be250be06258

SHA512
0c1ebdb39f3bc1769fe87c77bba0cea9cdbee1518cc5f84f6d1bc4d88ad4fbe55386ace7a7d5fcf1cc22b613f27f8822384dde211fc3f57a9660640e87647667

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcAu.exe

Filesize
483KB

MD5
96583bc396d92e94a567091a9c97ede4

SHA1
dcfdd7343c8414cdfce18affaa68a6b0f4b3a025

SHA256
708574250d79e6033a3b27082ad140b0e72cd4332ce06425daa49c781c0f4b03

SHA512
d70ee06d903b3b2d040f889f59d35e0f0942a56b929067ae3dea2daf74c08583b38dea88732d6048bc2555c0c780c91396324800e977aec9dfad377ab6a2aee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuEQcoIs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwoY.exe

Filesize
206KB

MD5
72ba5240db2fc6f518d8861fab371be1

SHA1
2f6a430103143786b9276c8caf0e7a4053bca2a9

SHA256
b5a42c0eb7291fe11254dc6a26cd5d8fd3e425b9e4d285c3cd53fc0f6ffa6750

SHA512
79c4180c279aa7951a11f22cac9cb46e4f0c9ea73e2dfbd05b2cecca87faf474dac22f0ee011390976259fe6873b432fc8d6d5c6f478e000de1d0030c5003381

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEwQ.exe

Filesize
191KB

MD5
5a15a2e3d1a7c2f67614774fe5f6b185

SHA1
d0e1fa2438fdaa2d01bc7fde1f64c015bab5d501

SHA256
5a30efd040042c254b123a2c90307aae0866bae305e9ed6a471b0da9d4ea3cf2

SHA512
505bd56cdadd978df4933981fa1718777432cbe36b4ef14c9b2701f39713b449017df5f176f5d54e913b8a71bf5693c52271c9299d2e7074ae401c1f9e695068

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoUi.exe

Filesize
199KB

MD5
49755d962233b7871436f0550c2fa94c

SHA1
3569945d94d6ef5b582d4c818652480bc8a60a6b

SHA256
83c8a40f2e9fc377596d573190c129f779caddb47cd6bb3ea7887b4cadb32c98

SHA512
fbbebd3154866dbadc81d9de22c4101040852efd2f42e58f010053e21b4aca5432a55352fdcd69642f3f6e0d84d2179f024319a2c966721bd5e7db6ab7704bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcwO.exe

Filesize
226KB

MD5
b7458b623a7fed7b06fdd3bf9e7f94b9

SHA1
1143aa98d3b119f5dccab79460cc89e654f3712c

SHA256
6f183e20fdcb36d619ae44639859d264efc23400c868d58213000e2dd8091b21

SHA512
09de7913f73328961a002d105ca117cfd715e529d78aebfec25e975feec0151f46a54526ff76df3f591c6b7140dc8776356e7493fdc65f265fa8980732febca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwogUMUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQsU.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcEu.exe

Filesize
202KB

MD5
df4564cd1a64e071a01cfd7c7d6fd917

SHA1
16a31f09b54c43ba0a4eb54f6f590dd6b15cc3a4

SHA256
0acc1ab42ff496b78f4d441ac268525cc9d032afcaf222af5400c128ab9391b8

SHA512
4d467bffd8de819d5c2137ac8782fc7c3ca750a9853be226903ac46a3f1ff101562005d920ee2df2c9b6fdab1c132274721ef548863bdc03af836d6b3383d3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcUY.ico

Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoEC.exe

Filesize
205KB

MD5
f33d19edf6c5378f02c30f18c5c92c1d

SHA1
3b22dec0d44e6abbeab319d78999c1b9f79a72b1

SHA256
ec0f866d30e823ed8788aac547377feeb9194fc0d889ba0f0675e66af6ee3614

SHA512
147b1505d03a4cf2e6f92a20fadccf46ff1038b484217dff5468d3687a1f080b848b441366fc3089ae80235b938467f0bbc63e56ed7672174055226f917543f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VggY.exe

Filesize
207KB

MD5
b0ddc3661bf62a1536e2c4e9c075aa18

SHA1
50281bed60b3db36d3bd38ef698ddcff6699a5e3

SHA256
9a0fa5d89e17656d5d80703e1d854fb57c6b869b4befd696e4698c1c737b02c2

SHA512
52478b3a3607f9b47486fa7ca3b9c69073dbb5a85f42387ee2160517a075f643cb83395ad2113c09b6494a58784dd0970a71d8a3c7f15d70309d835338aea3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vkos.exe

Filesize
649KB

MD5
8ad4bff0814c953486968d9298f77746

SHA1
cbc50bd60adde18d1a40729fb240e0abb2f7dbe1

SHA256
87c4368fa82ec86029b32db05a800083c86e5b45421c8d60137785638ef32e28

SHA512
64d32938675dd18380d7af2bfc9174e193ff6da4c3c35ef625cbf4376c993fad8d611324debdd4d7c4f85a5391f01e7a19ca932a1ab9975f961efe1bef08abaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vooo.exe

Filesize
199KB

MD5
d6940bf2411188c33b20fbceb83084b0

SHA1
c7e2100fc919ef7a4f4acc9e90ad7cd230b9c008

SHA256
3c8c3a2fe5cf98be898d72ed0404d661cfc7f22f09963850a9c3dbc0aab658f7

SHA512
c74c579a8c995fcf41d41f883277869e266afd50d0eeefcc3ca8c68f7ca5b196e4734d50f1efa3707f8e66ce77dde57e7ed5f278bdc2e23f827609bbb7f32d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqUoAgkY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEUu.exe

Filesize
737KB

MD5
9ccfd22bf9497ab695ca1b01f0e3a819

SHA1
a6d8d4043579abcc127f1a01f0f7dda40d16ce44

SHA256
e62990f322f46437b2cea6c991735477e772a7b2368bb7d0444eb42240a36184

SHA512
6490b98037d9e0d950ac595799687c5ff3a3649fac043bdbaf0dfa9b0e2dbf6c7d3d066ea608ce7779b3f9c1be477435581e3aa9557eb3c869d3fc5b578eae2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQUY.exe

Filesize
186KB

MD5
f9818e8938e6eae3ea2deacec1ad3da3

SHA1
ac0b4409c117ed480fb06efdbdce907449ca249a

SHA256
ead940bee6428018aa8be722f723edbd97d19b5e3b98f12da8c7d64ca99747d2

SHA512
fac9b960c4bb0c3e3b3e941045fc0aef6cf4db48940106b9d3459914a0fcacb054295341cbfa19688706dc166333ebb28002348739321d70f704c003f2230e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XwsS.exe

Filesize
227KB

MD5
bab3110cc442b613dcafb9c8e2752ac3

SHA1
b6fb155a3180922a2154a2ee52d41c1fa5875392

SHA256
f1d19a3f2972507831821b11c3246751b850a2214bad302c30d2b667745c12d3

SHA512
2d797c3c22ab5a85488298b303622d0d1ba0ca1f2ee51ff4db3e30daa815377e92f830d8c8d9fb1e679c1aae5a4d9097ee56d07fc4183dfa5b52e2fe712599fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEm.exe

Filesize
306KB

MD5
fdf5bb10f4ccbe46ecffa97486698b88

SHA1
7189590d2ef734693dc7df1b7d082a0df1433490

SHA256
1c408af4371c01dc483b483d3d194b154ef38184cb733dc3fcc0bfbb6e1641f1

SHA512
8a09e54630004ab751042587945ad1f702c8aed4aa55516384a0a47e2bfbf2b2105405ad70a9e221b9d2be27991e5eff6d54dfd3942723fb1cc5550d5e2a4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoMw.exe

Filesize
382KB

MD5
26ca242d764ce9e39bec4aebbe78d59a

SHA1
e2d3dd09eeb6cb3df7b627c05ec10daafa8774b6

SHA256
6966b77e10f121abf595be86e3aed7f49d592e0c8474bc7b757c7687e315af56

SHA512
9cbd02287d43088ce8afb35f103312a3f294b9269bc7cdc5caa2e5933f72c5ecbe45175a1d069bb19bfe03283fd06b81b3ae8c69bcdb5a2db5368665a5a64ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoYe.exe

Filesize
187KB

MD5
430b320af21d87ee092d87198c73c811

SHA1
b75901e918791565a714d590ed9992428a301c51

SHA256
8109824af8b2f35e180bcbbbd58b32f19ddb46ecea0b8fef470efd08f9a4a121

SHA512
445912d0f43b0a79394fe4acc59123221c31fd38c7f6ffeef6b301807c41005d50188856922c941004922e6fe106b0a8d5b4f356661b54fa6cfc23f249f3d76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAwK.exe

Filesize
190KB

MD5
67108ddab1ad3d442110b92679823bfa

SHA1
cfd5a8b7dbb300f19391ff16aab6ce9cec87b982

SHA256
92bf80ac461723450b70fdb406e8caf3080673844294b6fc745050b08b1b9265

SHA512
15d418bd68cc0f50dcca1ee51fabee9227722705ab6ac60fd99aa52ab41763688f3d0b0dfb6a38e86173ad0d61bf0ef8dd37e513d42e66ad09a1ab3f14b5bbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoAgEIQc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoAgEIQc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZowO.exe

Filesize
201KB

MD5
0de037840d990e9b66937d6134282d45

SHA1
228e1bb78a6a391e15d480ea2f96e594aa1b201d

SHA256
f0098dc30a5199eeb5ede30f9d79155e3e36007fff4b16d0768179b69fa23996

SHA512
673b53d02852d66540e7f1737900aa32515882ce15038bde63b9bf65dd755564942ff32014acc4b6e5bffb7f665e6bf23d26b5889d6e9c2df1592f40a458a48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\agwK.exe

Filesize
702KB

MD5
4a70c14898a1dcfea2965e9e4bc11306

SHA1
fb9c668e3179c4007a47692c8482f0e95d75b4b7

SHA256
c8898b7d61a199b9cb7ce01264c55a6e8d033f1a6bfea2a7562f4b267d710d5c

SHA512
aabff9e9d176d2096a08d4973312036b2a8ed428c1f9818f1060dd35e3063be8341145bc0970bc6ecc72ea958e8196f0b2d8e8d67a9598b4e5a8ee5de305176e

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkG.exe

Filesize
187KB

MD5
706c2f2575a0aa1add8a8174593ddde7

SHA1
810bb172ee46303085036f504518edfaa2659521

SHA256
1dd8199ec242c560d4113c03a290817a72c93bc4d868f3db35a1e1c27dd1155d

SHA512
c5323fac3f83d6a764de7feee181f7ea511032c1729732495ce00498d70eb0b2a80fbc8c80029ecb0990787b01466416017177da088c3b95b81df1d764d1da6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQso.exe

Filesize
200KB

MD5
1058cb48cb409bf02e6bf5e16c91a34b

SHA1
8e13d05850cc828cf9d1b4733669fe7bfc3fb290

SHA256
b305c9243337d1f1cecc959a2dea5e3a58fcbea5cdb327eee344c9a37c3d2588

SHA512
6d63e5d1ddfaee03e8867a85cfb7d73a104193e75924dff7e1ac6d6555d61ab79e89e3568b88c9a460d2d7d68af69d50a7b4874064c29719ab0f33a849da3c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcYc.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgsm.exe

Filesize
791KB

MD5
d2254359845f1dff3daa0ce19930dd3a

SHA1
d9a9cf79f6f0876beaaea942b92294b165907325

SHA256
d1c9e3428a61fa136a01210f67c421ba7610bfb4cbfc686fdb4aff31c17457cb

SHA512
ff2538d56756aa39862d11b869c91cb62c3c9ba034111faea43573edc391efcb42d27222ae916b63b263ee80a68a98f7edcc0d925eba7b9ab3ffec99aee3ef35

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkIC.exe

Filesize
200KB

MD5
11578dd05ea516f01c7061ea8d5fbd91

SHA1
54eeb82042ab81affa871cb6ad1ff19b2d5b4e01

SHA256
f0914e55a9869fce3efe148c66ecf11025d138b3a83196bd929a6114de92352a

SHA512
4d7a0c27f9a66fd7e62bb12fb650681a5e74654d970187a288a226d169f77fa39aa0a7d435c339fd4c5681f640af8d8f8227df8d546fad4efeec0611e1a57731

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsIg.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQIYgcEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsEO.exe

Filesize
199KB

MD5
94decda2e803e4a42456760cccd0d953

SHA1
84371d0af11ee5d1ff0eee46b86dad3bdeeeb701

SHA256
ebb141c108d89e92c1e5522beed7836b24c8fa1f53941d9d9c17e92a8e1cfb57

SHA512
1607e0722bb9c62d88aaebe2ee65c096dded1d5419e5ae1d5a13557a9ce20ec8c7de08c6855e528c03d577241ad312e09ddfa2018d084485e56de2d29a244771

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIQW.exe

Filesize
323KB

MD5
6138a6d037cdbf1412f881708e347050

SHA1
bc8146342e6f0ed8ab31405e8857ff09178f6ac1

SHA256
3227a803125239cbc2be5c681ba3d4e43d66e7372c7ed3589510238a680936ff

SHA512
f28023f32c3fa7ada09da63a5e9726b3d1687652b65d197b8e372051600260553bfd70583edb831b0ecde3af14daeb4ffacb596d9bdfc72ce62fb3492cd28a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekUw.exe

Filesize
194KB

MD5
73b6cfd381b6d9d25c806d72ead83c4e

SHA1
9f2f23dc58b7a4dd54e684aa9af04f700719f9d2

SHA256
7f814f9353946bed71f1ed8c6b9a971236a1fc51245e18e7fa6a3fa08104a2e5

SHA512
6baeb90cdc37a1de150b3a81753694883977bbf7d51cb38ba6f4484594bf0c2b969299430eb04fe6f3a1aab1342df591a8da7d1dd911495a6332ded188c69dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eswscoIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewEw.exe

Filesize
210KB

MD5
db1f362e73f67bb1f1f6a88fa8f61973

SHA1
cf825a64e6db5bb7512f2355cceb8397478a0bb4

SHA256
ccf118384b9ef1977032f003e40fba2058c14723d6fe66e14c307c2f7c8b9d75

SHA512
a7dce76d15e1c1218fd4c906164facf35636b7cd5125c5596df5fd8d1003de6952b660b65e74a3a2db4fcb91f91919818141700229c4c8f4bf0fe3969bd56855

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUcG.exe

Filesize
199KB

MD5
8c08d196615fbbe9409c0c5c4e147150

SHA1
31ea31c786f93b629a8d834640388aa1946cf492

SHA256
a631251e3e979484d74b7065dba84523a0153b004861f3d42fa8548ab3c7c901

SHA512
cd5a9b4ef07c4b0dc64a760d610ee7b3d887bc52e3fdfefa4dfd1514897eb413647d9d69f0bae9b85f3a1e0882abe195bb0e1ce08ee6a69d74cfc411b5a1904e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCgoEUgE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCscsMcM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gckK.exe

Filesize
654KB

MD5
f952346d153007dc4ae3fb168c5d1591

SHA1
b6df4f48ec732caca7db3fcbe9a40fa437d139d8

SHA256
e3856d114bf1a012e7d4c139b0029b9cdfa801927ac405703f4a3e8c3592fc67

SHA512
3a1e4cd207b786a7938c256a41ba635fddc43b9273556b8363ee9e49aa2167408040fefe23cf8a7c8ac3fd7d609359f8a839a35b2c83fcf11d59420855e52e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\goIy.exe

Filesize
561KB

MD5
9c488be1c745bde270adcfceb7370caf

SHA1
2a4cfcf2bf31f1be726ee670389a63f738d66beb

SHA256
1ae587139418d403ff48d80972a646c458d21c9f86f766878c8ddd5a2ae09545

SHA512
e78c94eb6d3d735cf1dbdb60da5d305f87c45d44e081bc19fd6538134bf373f2b89366c5083da45c11b91fe54aa594c25df3ccfbbda07cc1d7bcaf907d999810

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAsC.exe

Filesize
186KB

MD5
ae76c74a06b52629558ee40ff049a6e7

SHA1
077cb4fb4a61f73838545c3e9b522460817dd3f7

SHA256
4dfa2ecd0b4911ecdf3581f1c9e1cc141c98b3c7a77815ba8fc3a21fe0ee858c

SHA512
4f07e52016fda7100d8ac8aa2357ac2815db7190feb3b00d1a5e69314c18f9388a1d9c8f239f1da6eb1ef4509520dea66876962ee19a3bed71ce3154613bcf47

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEoo.exe

Filesize
208KB

MD5
c9c223059106007a596ccfc9cd4c37ec

SHA1
4d691174e88ef4ffbfc86308b926c69e5cb1acee

SHA256
390eed3c7ad4ea325161cb4dd5e4f571d358e1228c39fa2aa4401e7b50f114dc

SHA512
7b6d1ff0e21a6ddaf1d993a13594b482ddcdeb04cc617a468ad84b05fefbfade3066724fb652ff4bdcca132ff30d8572dcc7035cc71d5203e428d4b94a41a794

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOkUosAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoAW.exe

Filesize
504KB

MD5
1e4bbf7d0c87dc32667cfc5a87bc7bcd

SHA1
28bad31e997c3b919ef9910a577ebdc2dd47c83d

SHA256
e7abe6a9c22ad9927ed1d7e5301586ac922e299be947d517d546643070e931a6

SHA512
7ce61afd1ce513fc082e1e7c8e562c135c725a63bfec360a98eed143b6bb8ba2929d67172511eac16d7161d9b270849a49dc53f7c512634d7da60542969a1301

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCkwgUEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYm.exe

Filesize
181KB

MD5
b17d4a533027fd963bc6e972710e3929

SHA1
c06cc550afd85153270e5100f19b29e4946f9981

SHA256
7062be5392f08d6980d6c22ac9dd1924c97c216308ff4105a2864b8a00c800ce

SHA512
4f185500fdc8c8ca311d3d75d7ec771a39801e9aa6043e419d4dc9f23b8931f742fc56e5c02f180ca4ec5ec44b3553261f9e70ed69b3c58bd252ce1530d42851

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwkG.exe

Filesize
188KB

MD5
ee5a9c8ef213040fbce200cffc1d6f71

SHA1
9cd85ba472b8b17327d932765800e25d2cae1c65

SHA256
2a0c7e2ae3825339e88c690025da8647f1cf875692f7198feed0173f24060096

SHA512
71d2d6aeededb6ec1883b2c8bf825f168344994cbe8d6ca14e45854a7be2f260ee18bfa6875b0193ea81132a4e586b27e21df6624649ba0aa475a8407b12eea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEwa.exe

Filesize
197KB

MD5
aa77edac4e47746b7c9bc4e1a566c1a0

SHA1
f49a23fb9773cb127e4092b92aaec0ab1232e3e7

SHA256
c64c93cdae0e51b0b637ea87a8fc72e6688b1cfb4a6449aebae8a8991a93fc56

SHA512
4eb8af59a9d132cb24852fc8197ca4cc5cab0f6a54fc9075545567b1a8817b5c35a589c713bfd2e27e2e45c0eb8562c1496a47029f2fa69d40a522f358b54fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMU.exe

Filesize
312KB

MD5
1da4fde2579310a2fa79203aac5bdd2b

SHA1
a2ec9b969bd21642c9d0b55d053bc014dfc5582d

SHA256
7be38a1558847760329d6fbdccaf70bd8670a069fb0b34eca3df78e96560b032

SHA512
47bcf9b6e2e90915c6d6c6fbdf7f82e803252778f45e7c81228ba9141f314fc4763a552800df509d096eab39d9176fedfc932223c0b71e1ddb7b204079e7cf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAoI.exe

Filesize
191KB

MD5
625f38546fca1de65920dfe2ad8df36e

SHA1
4c3f28dbee70e4e221661fbd57289af301570f5b

SHA256
8ea0f743379f0703b073c9abac41fb8412ee7f4fe2f30c2822c2de4d56e3d5cc

SHA512
8e43ec56b0c65815b6dfe5886219b091decc5d8c45312e968e6bb8e4041c745d9e031420ec4fc312c80512dfb0ba0b2d9e7d0c75aecfda22e5917866e1c15e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQAQIkAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEgc.exe

Filesize
198KB

MD5
7296bf2e7503789aec6f6a1bd66ae073

SHA1
318962bcce43c380978c571161b146048ced5b69

SHA256
f9f4905d922cc2637b6e6a4953a1d3b94d5dbcc9f1e68ba31d1dea4b3647e625

SHA512
aa65106c9998716566307ceeae7dcdd3199bf2a680b02e458b6177b2acbc46e597c8f62d07bf3f346e7c1e483d0046c44c5f30a9c02375126f5a4319c51f2b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMIy.exe

Filesize
198KB

MD5
bea1a220b3a2532dfde9f15d5afbbdf9

SHA1
98b8bd1423f7453ae3ffe002396fa519c6825484

SHA256
6a42aeef61d1f5d9e9c196cbcde5768b4ab4b3da08176bbcc9a028b546fd746d

SHA512
60eeb583e316c6e2391efc52b9640d4b963407e977874f3a623b6072fca46c8a1d165fd1fcdb98596cb8424245898546bf0dd7fec275ec10c4a78c90ebe84894

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMkw.exe

Filesize
200KB

MD5
1d00d8770b9cd18598efb1c2cb99971b

SHA1
01e4dcd43c62beb0975ca2eb805211f65f78cf56

SHA256
2a3642d41371b5564150244ab440a64f15ab7a30a5fbf5be080766d260419f66

SHA512
f91b90f20f19ba07111463e999d960ec64240e0218a7875b7c89b04950f05ed3c97f018629b1e98cb50579b237787a2dabb504d5f8fa1a047109fef77ce84349

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwMe.exe

Filesize
830KB

MD5
e7323d17e2f87b15a2abc995ea13509b

SHA1
b4feeae2b724b6cdaa09fb38945a65889265ada1

SHA256
ad4b2fba5835644eb148001e1a34d0027dab89d98127a7725607e73a490c9db4

SHA512
1940c872af4af84060a5a09c9e9671b2a5d004e328609721e1755206005950ebab21f39d4ba40f23478da55af9034bbd54130854d100ac91e4ac0f0c01aba937

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMgS.exe

Filesize
185KB

MD5
31f22c86156f415e0b1aa18a2b771671

SHA1
a7ab288c4d059bc9b4a0a51c48228b1a05e92bf9

SHA256
7140d0b8ef16b9a3c99b64fd3548fa25bcc1354524a7850896ea1c15cf7ff051

SHA512
87a8b76a378774a829bb4605b58156c8e71fbe5868f602aa09e9825e2bb53129611e844e09b60eea6739d31d6b688d2849d8883a0f6b60706b479cf1b59aed0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogsM.exe

Filesize
1.8MB

MD5
1ca41c85d9590147c08ef25e27a520da

SHA1
a31cd1cf21ae605669745d8053fdbe99b5ae3f34

SHA256
867750b2ab13aeae236ad148853eaa82e015e3d4e8c81772bb62c5127e2347e6

SHA512
da18934f50c6bca430418e3da717e6932c5bf84169c5107016068c1d68d7e6748075a98e2c2e18e5d2129608538cad3fc927dc37959ce5b1e7bc548423937e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwQE.exe

Filesize
5.2MB

MD5
e3a2a67b8feb114d94fa09cb9bd68433

SHA1
5c7a406ed7df0ad73318d584393ab61c2c799d56

SHA256
897a3380fe6eb418e2c0d8038491547c51f63f9c3606412452d0e3f9b06fa2ae

SHA512
969af62a6bb77dcc8410ecbeee3957f599bed0ad6f338f2d88e1738a4baf7fcfe2605a5b90871dfe1631b7924ede582d5a5882cf1a4f59cbe062b764d8b66361

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAsK.exe

Filesize
187KB

MD5
bb139396eb7ca7ffe673adb1ff6defeb

SHA1
d22931e416286cee5ae07dd465b29c49dea42122

SHA256
1d4978dfc69d5e0b04ce61672f4afa6af594520c6908a71cc42f123bb6e8d97f

SHA512
3579e25cf877b9953ae879766aa6db93e535cec0cdc64388ad92cd1facb9192691f6e810f720a4cb9b392013a1ee705386751afb4460948322125b50ac47a49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAsQwMAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMMg.exe

Filesize
823KB

MD5
3cb40c44a1419d547af2e6422a487765

SHA1
6551c7653300efbf29683a7ace27f3da0d95d2d8

SHA256
ade757c5368413e2eb457605a72f77e90738050aa15d50dfa62704b6ef2030ca

SHA512
00b971353cc9111810e6a38777431bb45e4e0508cbec56a593b533105f49fc8ab611b223e803846a5c2f4b16081fa417688be70e6d528be197c6ed37f1e933fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQwI.exe

Filesize
5.9MB

MD5
37b2ad20a2dd06c23f0e1aa2fbd5107d

SHA1
c54aa259160b49cab79b19657a34c669e222e21f

SHA256
014bb4df5b03340025d7c28b6b1233ccb3045554f97b0afbec8f22e2d53aca92

SHA512
b9ccab553e2ca17b22aec7cf4e476964bfe87346a28878ba6c2f63babb98b77ab8accd8359620f3d435c2fd6802285a7f1fd4d3b560d20044b24391be72343fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcoE.exe

Filesize
320KB

MD5
c10045bcb003c2242b3b895009b0fefc

SHA1
49728f61dcf74d86b8d632d042622c1b41c7631a

SHA256
20fdf8a8f0f78f14504d233650b162894e152228e0f32cf757f27fa6ecaea664

SHA512
2dc6b595496a3c92b0c66502c0c0c64e5f53d66e40f6ff808b70a44fb203f8029947a83332c7d169ac9f9fd6b21aea0a2c3dfef50c64c0846c1f2037c4bf0417

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAEo.exe

Filesize
184KB

MD5
93f34bfdbbe5f32cc46c4fae0610ccfe

SHA1
36900922c272eefac6be878f3c7287b9959a1a5f

SHA256
549ebefa71525df7ba73547485df95f16ad409ff0f00af88f97c6ab13c20ee9d

SHA512
d868f734b9606c59536fe5585097d324fa39ea2f32b518b63143fbc86800b2c0ed1279e6883d8f9f6133db299715a7f0be959109c1fc35edc5ea8523aca18b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEka.exe

Filesize
204KB

MD5
03aef35b545b01e6874395a615693cf1

SHA1
c4bd27b4fee5524ef26d1e248bb96978e2fdc9c9

SHA256
66be27aa81aa01f181586754852fc67406de0f8fcafd271b7d352d5b0d890c3a

SHA512
99be850944a5fe2b1cec1937b492b7a4027d5ae2ff55598172cc80d8dcac52b0cf0fa8a35249648e528d66f236c788896cf54f557c2d19c8a761b16e029ae2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUso.exe

Filesize
197KB

MD5
811c5d29c83f97bc79bdaf1807913fa9

SHA1
1452db6eb13acbf506eb307384e820718d020ed6

SHA256
231ea01cb3ee6144b572470fb886ed8429cf6478c2c4bb83c7eacc5f263f94a6

SHA512
f00f1db85444cc84fcc239b49cbbce9e749e65bccf2491a3071ad766594f4948777dc1c7c910900d4c5c57d10c7b0abeee74c0f2fbb8dbff0a0ba4594ee8172c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgQy.exe

Filesize
205KB

MD5
7f7f8f6aee4db651d4111c33dadeb1b5

SHA1
9a11e9ae46ed7d69463eebdf50df8ff58ba90614

SHA256
382ed8e17bc0ddf810cfb944dd22344654790951d0e93ec86e46eff26aa24f55

SHA512
0cd057e3ea19504a1b754dd8104f1888372a7e8db4adc35759318a0ae00da7d99ca41b7360149be06313866dd98bdcfac2a41deb54fa27e934aabf3ca4600a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkQY.exe

Filesize
5.9MB

MD5
8398acf1abe449eaf50c3fd5814be31d

SHA1
9b1f90f828f94adc5ebb41b279d5bcfb8cdeffbb

SHA256
433e645eca86ab7737bd5be46ce0efd223cbaf959ac532c97234f243d144f29b

SHA512
187b454142d9050085fdfc50d704921ee2e9f191f6e5b5398a00371595274cd9681b303af725c019c7428725faf911085ba04e6d295a6251cfbb900cb3086cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsUM.exe

Filesize
205KB

MD5
a847920f1920bc3d3f39aa785ec968cf

SHA1
21b35d4895e46a09df9dde9ebfe313071e4006df

SHA256
724c2fcb47353e0b31e902c8796d68d7a24833360f6c4f80e07c2302a5f914a2

SHA512
0497e0382e042766f1abd1007e61a49ef8ad393aa18fc9088565e9468b7a4e5ce8850acc2aaa354a628a9b128eec5dc9d996a8ad6336cbf09402a989423ea264

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAcIsoco.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAwy.exe

Filesize
842KB

MD5
a95d59f02da1cf923f81f9ab549837a0

SHA1
dc90114c9a24022dd600fd951c7fd42a254c577a

SHA256
ac6cf2c9c626ceb86700f5436d4979088069304e055f3383e0e9f9b2cfc6333d

SHA512
68ff812f465af03f392649d46d313f603f9a4f9fa1ecc7dd15a3809edd7a4ff9f5f0025166e8661bc305d6c62b33c67c31d6578ac1220a8c197e0067641f20e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUoU.exe

Filesize
198KB

MD5
f73e28a49cdd74e71447cc890aaada5c

SHA1
a2c8ebfe7c94df01db18f24a18b716db08b5da0d

SHA256
24bcadd1a6e1c6cb280ea27a8b0533297094fbb46d8b530ae1f6f1df890b5287

SHA512
6a23ccdcb0beda13d726834fdfca332e43094bf6ad9dad0941fddc4eaaf70204a5c203d072c22892366f0e00336a0067a737d91b50a1afc8087a63a79f1696bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgoC.exe

Filesize
782KB

MD5
63408b5e0d78eb7be64e07ac948bf60a

SHA1
a4de0799bb0dbc7a89b37a5cc0a43988143f6220

SHA256
1d79d13f7f709f23b0e1da47af0f89037522415d7168817e3a71328af088c9f8

SHA512
15a7224f89fdea84d194828b5a65ba37ccb13b22af6a8ca513f80288e11b9a240797b8828f54f7da259e703f206e634a3289e8bc0a77cdaaaa764b8dcd7da132

Download Submit
C:\Users\Admin\AppData\Local\Temp\twoE.exe

Filesize
207KB

MD5
75ff0fa2d3dcb98e01237475edc20fba

SHA1
56e83bd44fa78276d9051777d790c49bd5c5014a

SHA256
458a01e50b3203c10630aac1073d5eeaa38e8a47f7f63ae893bd79b80d80afd3

SHA512
51de7455375c25b7b685c9d4d8936e9fe9f0ab42876ac648f03933d7a0ab909a245aa1bfaa76aa47a15f0edc12d259c8e4731388226447fedddeecfffa375370

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAQU.exe

Filesize
197KB

MD5
bccb9f72c0bc0d6399d70aa18ca9b8b2

SHA1
3e09eefb06376ff9060b005dea5015109185463b

SHA256
a90dbc1374afe89f05822d12f71c483ce5ce8cea30a1d346a758833aa1a11486

SHA512
c81340104b6af33a2e2a068eeeaf69e3ce0da4a38f1d10100822a81971c96a0e798cc05f023efa0f5ed782299edfb8f905eb1945ad74a82cb3d5ec2a8f366125

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQMk.exe

Filesize
228KB

MD5
877c091b720dedc911ab19d4ec354c22

SHA1
0c4077285f94b8f7aae5a52624cfca2ee4c4dcdb

SHA256
323b95c8f57e9fbdb9495c2e1098591e1e8fd70b443ecd88e6ac421f42d8fe6b

SHA512
04de6ad426e0e625277b593224e09deb40bb8baf4455e69fd32e871a323dfd3e1df6ca694557fc2706b8fe7771455ec19e1ba470fcda78b7bf611a8c0b0fad8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwcQwYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vosQ.exe

Filesize
185KB

MD5
b7fd6a78d61d165c162e48fcf6aaa5fb

SHA1
9c8cbef152e9e068ef33d5c6b8cf031e2e23c3ef

SHA256
4fa1b3514e8133fd50a573fa2f81c2591688d0491f7c1e5c6335a29a1e214a1c

SHA512
49aaa0cf9b56850ee62402a5ff3137866438c2c05df620479e2de8239096c286b065c48d0845916c8d4add6a4e5acdd494387850ae7a66e8b85fce57cb85fb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYcY.exe

Filesize
204KB

MD5
fed3f3fcd046e4d47aa6a2b52722b947

SHA1
4f4c25bff4d6db9a1378b9514d7c112143f8ab34

SHA256
b1d1e6b16016e5c6b8c6ca4d7c48bc8c27806d0b37bf2e5674ee0225b6b84bdf

SHA512
8b592b5c115df51ff45199e9d3e75cec44405268bfa08484960f4964a0e0d35c8f025dd3153cd93d779fe7eb1fc54e212e2124cfe427267dd4721be43df11a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgII.exe

Filesize
270KB

MD5
b73db3e3ea93a2bbfa1c11b6f2f6cc48

SHA1
a6d33e4c8925c5bc08fea061987f484ee6a609ae

SHA256
66fac47d5837cee3e4f704405e9f35950191b67bcc8e855cb8e825357f379a3f

SHA512
4c9e22e925ed6c7471e3bd26c1dd70876c98f6094eba3a8eec585e39e322b3d18624b76eff4eaa5ca238ccebc6851ef37c6be3e5e2598ca9cdbb17a59bdd23e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkwI.exe

Filesize
626KB

MD5
832b6c48b9b4c37eae760580afd4fede

SHA1
6455088692486ecfcf0d4599dee93dcd96246183

SHA256
ae2b159e9562ae3c92d0d9cc6a23158b4183dc68e63e4323efed6779c44b9876

SHA512
45cbe9698564b085cb6a48d611b07b107951aa63c93a9db63fc6f02bf6901b5679dcad364ae1d675b8200b6d7ad789d54cda1aacfc03957a7f07b8c37363c573

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAEE.exe

Filesize
487KB

MD5
56ddb947ffdae84263bb0c726ac6e9d3

SHA1
cd5327a7034b8d0cdcf7f5f71612211638767e60

SHA256
368463bb2534d5e9939147343dd3b7f9cfe9f15fa3b850ed9dbf8dad1f795170

SHA512
9dbcb3cd82a8a3c2520e219fc9b020fc27dbc4db9ab4abfe827d651afc2b84084b667ac5ad34b3aa6a0b637830eb34fb836b6329bca6e867b04268e7378e15aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUYy.exe

Filesize
221KB

MD5
2ebdd6a7022b7f1645c1434af4c3ab69

SHA1
0ba79b0c60596362ef2375573ded7325e32de0f5

SHA256
a29fea11a039e0be6d8ea63da3b648b40ae80d24909fec943a053b35105f1e61

SHA512
db0461b913cdc935d4d92ad5d053fc47f6e1eb936976609f0fb42e51051a98b0fe4fa7f9e6a0fcd0d74dc0072a2eaebc64cad76f440b888ad338e1c35b951f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYYq.exe

Filesize
201KB

MD5
4b8578fde901b65ab8c9bf5824d2b729

SHA1
5a7916b2b029c5cd2cb3a5d939195e0f6197060e

SHA256
630e37bbed0e276e628955eee99612315720c129ef3268fdb6e0bc58638a1712

SHA512
c08a76d4ba02a661bddfd4c8c6b775a415c9b8490ac9cf786e733f23b235c0829d67a1e5406784ced99e01bc0dc9e2fa88fe28354888272c7f20a09737cbf288

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcIU.exe

Filesize
193KB

MD5
db3c7b5bb87e5e76e4b07fe12df65255

SHA1
e63dddfe7a964f7749ab9dfeebe7b40bdc59f684

SHA256
368c84952d8aeb3343fb3359b0b713329e32da2c346594cb55595b958a4f56b4

SHA512
a3b3673664407c067a71208d6f9e02e0ba9b8b43a0f3f9a1698c8ae3e3ed2b854c76d2da81e937a84826b9553ae325e1cd594d6793bf95a45615713fff4d3f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqEUkQsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEko.exe

Filesize
207KB

MD5
8d64b6f938720fc1c15f6c91e0dd3884

SHA1
34c73452cf34be5e6dbc4bc8219078ebd3c9c9cb

SHA256
0eed3dd2b1044d22b05a74107948e46ff868976a77ea582e2c9cdeb550352aac

SHA512
871ed6f30cc1e7a702150293c212b80239072497a23cd92da350909ada7d969e09276133621474d4ce4bba484167ed959f8600c035fe7baad440b06173c28f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMMI.exe

Filesize
191KB

MD5
60778eeaae74589334633a908355b92c

SHA1
34bea8c65b08cc480c8519d5cac82e9353a39159

SHA256
5168a30c6dd227f0f39948a27caa8edf6a2084392b79b65ad7d174f90a5479ea

SHA512
45b40953a36e1d7e264002061cfe724df5d78a4fa61491390c5cd0eeb1848cfa6aba36eff4f52884299020ff418b8bf6611fb4bf947631af1e0b0fc3eb4f7837

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWYEAgAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAu.exe

Filesize
470KB

MD5
1e4c4e22fb54280ca1ced8012978dfcc

SHA1
cef95d222f2fdd9001d11f7c30b60207fc6a19e3

SHA256
fe0772b519c999fd0e31c415143f84d4d6c82a0fda08c6d0a5fdcd8165f1a72f

SHA512
de94670f984854ac1bb225cac0d5d655a586fef9662b30bc2d1de25ddb47108efce2ea0e63743e848aac417d94fac81bb021516958743ffa596ea0a18ad69506

Download Submit
C:\Users\Admin\AppData\Local\Temp\yosE.exe

Filesize
224KB

MD5
e9248117672b46aa4bf48c798bd82ccc

SHA1
38cd859adfd68161ea1b5299e9f828b857966935

SHA256
50f1fe8cc11055f92ed098b084e40f9d0cf0f73c0559859488066fb07b6b22f3

SHA512
de36ef23f3c9073ca72a852efeef68207774ef03af9654de942d678739af4795730e3abdfd8aa1c1fc5d46ae38c4ee3d1701ce012d07bdbaadcb4d54564a3d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMs.exe

Filesize
654KB

MD5
4acc23b10ab4d91f8f0d82c43ebb26fa

SHA1
2690920b7cbb3a4fbcdeb4d1ab7f5f6fb9ce7216

SHA256
13b9031b86383cf1926c3e0e4923657fd8c664f8c597e0382c292d39d98d326d

SHA512
e7d8ec3b955c855ee5cb9aa66df2a287a0db2c7741110f2caaa23084ead24e57c00fde0393f3db69031ada1a241cb1cf25b3b1bfe523e96acc2fd5740d489ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywsq.exe

Filesize
187KB

MD5
50347d425fd6f8f89ff66ce87125342a

SHA1
8ee3c715f78e675d87868f7a141fb7e99347dedc

SHA256
775d0c97477d281e45054e3723e3fc56ea7f116e4b5b633a899112589d1a2837

SHA512
b6668c4a5d43d039d4001fe6a8757ce09fbabb15e29bb0f89c63d80db6d5c7266692a03f0c91e798de5f5142ea04c132f796f2a71deab9b3a18b769fc7638ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYse.exe

Filesize
416KB

MD5
a8bea6dda32a4954e5f96e6602bd36cd

SHA1
d684e46475d24ba3b020d3cea99eacf9a8f3a0ba

SHA256
3ef22eaa18f22b289756949348a44ded1c73bedf710c0eb6e976e5df399f95f8

SHA512
5767dfc2ef6ee7f11827515ee60239921082d01bfad7463240baed65268b66b4fdaaf3641928394bbca120daf6059afbcbb926b60b57405cb2c4e1b4debbd510

Download Submit
C:\Users\Admin\DCsssYQQ\bUgMoQYk.exe

Filesize
196KB

MD5
4ffa7b4d9f86ead854b43daa30044d20

SHA1
cd837e4728dbcb6b9fc8d74157a862d8e4d4b45f

SHA256
43b0daa5da092b402d6a4bf514ca54f4a5eba7c91fb4972857348425052602f3

SHA512
427926ae829c05ca038e0dc9bd71f2cacabda9ea6cd4700a5e6d914b5a28ac598192ead76a81d494c90480135b5af5482ce2afe7c717ca7d8657d7059778415a

Download Submit
C:\Users\Admin\DCsssYQQ\bUgMoQYk.exe

Filesize
196KB

MD5
4ffa7b4d9f86ead854b43daa30044d20

SHA1
cd837e4728dbcb6b9fc8d74157a862d8e4d4b45f

SHA256
43b0daa5da092b402d6a4bf514ca54f4a5eba7c91fb4972857348425052602f3

SHA512
427926ae829c05ca038e0dc9bd71f2cacabda9ea6cd4700a5e6d914b5a28ac598192ead76a81d494c90480135b5af5482ce2afe7c717ca7d8657d7059778415a

Download Submit
C:\Users\Admin\DCsssYQQ\bUgMoQYk.inf

Filesize
4B

MD5
278824e0906a5e54d2ec2cb25e4f7599

SHA1
ac16eb74d3c7e4a3c2dedc0accba285d60543a41

SHA256
3588b36b50ac5cfe6232871b2d2fab6ad9c1181274a91542b36e240696ad8760

SHA512
5b60bcafd3ef2c9d65d51f8cdd15776f741705f46b8f545e3be4d090ba206a3ccccd052898bf4b5c00f2ab568a80b8964b58412214ea5fb22bde6fb130ec61fe

Download Submit
C:\Users\Admin\DCsssYQQ\bUgMoQYk.inf

Filesize
4B

MD5
60821d65c5c6d55bc301969523bdbbdb

SHA1
e512311460b9cdb18ff6bcdbeeea32b35c494596

SHA256
e75e1ce1d647bbd5d5fd2594fd9c18d46ef9d23a5700ddce6e57f03af9b1db5b

SHA512
f525cf5e20153b0e8f232a0fb9edc1081a1a08fca9b9ccbf48a1a3666e635c481d2ce6639e0882bbc2f6d0e80e495282b493edfad710b74e4a2c53ba69de2b74

Download Submit
C:\Users\Admin\DCsssYQQ\bUgMoQYk.inf

Filesize
4B

MD5
d3685d14c497144e6140bb2474440ad5

SHA1
96dc28b42c8f5cc550e535e5c1458fe34259db7b

SHA256
efdd64c2a710132831b014ba9650c7706b1046fea054dc1659058b585b85a8d5

SHA512
a72482ab0fcae15dea9c4f15c9c766018e1a9017f9d4338c62d4c14f7e11569a74bf10f59c0998f39c522fdad70463d5dc586170febbd8ac0f05de680d28015b

Download Submit
memory/468-443-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/544-275-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/548-250-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/632-479-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/740-433-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/872-535-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1528-543-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1792-416-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1808-363-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1956-157-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1980-190-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2068-471-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2068-464-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2252-226-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2252-221-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2368-489-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2368-312-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2520-406-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2520-399-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2548-177-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2584-156-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2636-251-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2636-262-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2828-597-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2888-517-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2888-525-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2984-516-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3164-213-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3220-444-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3220-452-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3244-314-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3244-325-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3284-201-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3356-166-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3356-551-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3356-155-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3364-578-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3420-570-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3584-387-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3584-380-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3672-352-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3672-344-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3680-237-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3760-287-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3760-610-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3760-614-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3760-279-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3764-133-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3764-150-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3788-302-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3988-397-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4316-560-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4316-552-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4432-508-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4656-492-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4656-498-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4704-462-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4868-425-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4868-421-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4872-340-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4988-378-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4992-605-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/5056-587-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/5056-583-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download