a3e9e59b9da539a8b7ce869d598ccff75060b6e0cf136552b31dee2cd1bcea1a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5d7c65b0c09f3exeexeexeex.exe
Size

187KB
MD5

d5d7c65b0c09f363d0b4736db6512738
SHA1

32c220f69b60ede71966b32fc7f8ce4bda8fc3e8
SHA256

a3e9e59b9da539a8b7ce869d598ccff75060b6e0cf136552b31dee2cd1bcea1a
SHA512

082ff2b6d1d8e38b93aa1a0a41fa27260c8d8181551eb287f1c9b550c0a8ed96263e8b0f5ebe98d2928c55f0781d6d9718f083f1b8de8dc2965d72f80253000b
SSDEEP

3072:iqe5+e4kXedsW3lVWDnzE1Q6KWKVy+T8T4Ti2T7TATATITbTTUTTI69FKKrtuVu8:OAe4pqzE1QDXFT8T4Ti2T7TATATITbTb

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	DQcIQUQg.exe

Executes dropped EXE 2 IoCs

pid	Process
5012	UGcsYQMY.exe
464	DQcIQUQg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DQcIQUQg.exe = "C:\\ProgramData\\GgEYgogM\\DQcIQUQg.exe"	d5d7c65b0c09f3exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DQcIQUQg.exe = "C:\\ProgramData\\GgEYgogM\\DQcIQUQg.exe"	DQcIQUQg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGcsYQMY.exe = "C:\\Users\\Admin\\pYgEsYsU\\UGcsYQMY.exe"	UGcsYQMY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGcsYQMY.exe = "C:\\Users\\Admin\\pYgEsYsU\\UGcsYQMY.exe"	d5d7c65b0c09f3exeexeexeex.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5d7c65b0c09f3exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d5d7c65b0c09f3exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2796	reg.exe
1400	reg.exe
1212	reg.exe
1924	reg.exe
4688	reg.exe
3372	reg.exe
5084	reg.exe
4080	Process not Found
8	reg.exe
732	reg.exe
3816	reg.exe
428	reg.exe
3088	reg.exe
4840	reg.exe
2876	Process not Found
3044	reg.exe
2152	reg.exe
3704	reg.exe
2772	Process not Found
4508	reg.exe
2612	reg.exe
3404	reg.exe
4980	reg.exe
2704	Process not Found
2328	reg.exe
4436	reg.exe
2944	reg.exe
4704	reg.exe
892	reg.exe
4120	reg.exe
3420	reg.exe
3624	Process not Found
1632	reg.exe
4124	reg.exe
1980	reg.exe
376	reg.exe
1404	reg.exe
2784	reg.exe
4480	reg.exe
2040	Process not Found
2152	reg.exe
4300	reg.exe
3604	reg.exe
936	reg.exe
4080	reg.exe
2592	reg.exe
3688	reg.exe
1580	reg.exe
4964	Process not Found
5064	reg.exe
8	reg.exe
556	reg.exe
4416	Process not Found
4352	reg.exe
4540	Process not Found
876	Process not Found
3048	reg.exe
4540	reg.exe
4320	reg.exe
1400	reg.exe
4192	reg.exe
4500	reg.exe
8	reg.exe
2980	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
936	d5d7c65b0c09f3exeexeexeex.exe
936	d5d7c65b0c09f3exeexeexeex.exe
936	d5d7c65b0c09f3exeexeexeex.exe
936	d5d7c65b0c09f3exeexeexeex.exe
4120	d5d7c65b0c09f3exeexeexeex.exe
4120	d5d7c65b0c09f3exeexeexeex.exe
4120	d5d7c65b0c09f3exeexeexeex.exe
4120	d5d7c65b0c09f3exeexeexeex.exe
3656	d5d7c65b0c09f3exeexeexeex.exe
3656	d5d7c65b0c09f3exeexeexeex.exe
3656	d5d7c65b0c09f3exeexeexeex.exe
3656	d5d7c65b0c09f3exeexeexeex.exe
4524	d5d7c65b0c09f3exeexeexeex.exe
4524	d5d7c65b0c09f3exeexeexeex.exe
4524	d5d7c65b0c09f3exeexeexeex.exe
4524	d5d7c65b0c09f3exeexeexeex.exe
1524	d5d7c65b0c09f3exeexeexeex.exe
1524	d5d7c65b0c09f3exeexeexeex.exe
1524	d5d7c65b0c09f3exeexeexeex.exe
1524	d5d7c65b0c09f3exeexeexeex.exe
2360	reg.exe
2360	reg.exe
2360	reg.exe
2360	reg.exe
3472	Conhost.exe
3472	Conhost.exe
3472	Conhost.exe
3472	Conhost.exe
4184	d5d7c65b0c09f3exeexeexeex.exe
4184	d5d7c65b0c09f3exeexeexeex.exe
4184	d5d7c65b0c09f3exeexeexeex.exe
4184	d5d7c65b0c09f3exeexeexeex.exe
2744	d5d7c65b0c09f3exeexeexeex.exe
2744	d5d7c65b0c09f3exeexeexeex.exe
2744	d5d7c65b0c09f3exeexeexeex.exe
2744	d5d7c65b0c09f3exeexeexeex.exe
4480	Process not Found
4480	Process not Found
4480	Process not Found
4480	Process not Found
4632	d5d7c65b0c09f3exeexeexeex.exe
4632	d5d7c65b0c09f3exeexeexeex.exe
4632	d5d7c65b0c09f3exeexeexeex.exe
4632	d5d7c65b0c09f3exeexeexeex.exe
3828	d5d7c65b0c09f3exeexeexeex.exe
3828	d5d7c65b0c09f3exeexeexeex.exe
3828	d5d7c65b0c09f3exeexeexeex.exe
3828	d5d7c65b0c09f3exeexeexeex.exe
4464	d5d7c65b0c09f3exeexeexeex.exe
4464	d5d7c65b0c09f3exeexeexeex.exe
4464	d5d7c65b0c09f3exeexeexeex.exe
4464	d5d7c65b0c09f3exeexeexeex.exe
924	d5d7c65b0c09f3exeexeexeex.exe
924	d5d7c65b0c09f3exeexeexeex.exe
924	d5d7c65b0c09f3exeexeexeex.exe
924	d5d7c65b0c09f3exeexeexeex.exe
3020	d5d7c65b0c09f3exeexeexeex.exe
3020	d5d7c65b0c09f3exeexeexeex.exe
3020	d5d7c65b0c09f3exeexeexeex.exe
3020	d5d7c65b0c09f3exeexeexeex.exe
4188	cmd.exe
4188	cmd.exe
4188	cmd.exe
4188	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
464	DQcIQUQg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe
464	DQcIQUQg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 5012	936	d5d7c65b0c09f3exeexeexeex.exe	84
PID 936 wrote to memory of 5012	936	d5d7c65b0c09f3exeexeexeex.exe	84
PID 936 wrote to memory of 5012	936	d5d7c65b0c09f3exeexeexeex.exe	84
PID 936 wrote to memory of 464	936	d5d7c65b0c09f3exeexeexeex.exe	85
PID 936 wrote to memory of 464	936	d5d7c65b0c09f3exeexeexeex.exe	85
PID 936 wrote to memory of 464	936	d5d7c65b0c09f3exeexeexeex.exe	85
PID 936 wrote to memory of 4824	936	d5d7c65b0c09f3exeexeexeex.exe	86
PID 936 wrote to memory of 4824	936	d5d7c65b0c09f3exeexeexeex.exe	86
PID 936 wrote to memory of 4824	936	d5d7c65b0c09f3exeexeexeex.exe	86
PID 936 wrote to memory of 4616	936	d5d7c65b0c09f3exeexeexeex.exe	93
PID 936 wrote to memory of 4616	936	d5d7c65b0c09f3exeexeexeex.exe	93
PID 936 wrote to memory of 4616	936	d5d7c65b0c09f3exeexeexeex.exe	93
PID 936 wrote to memory of 5068	936	d5d7c65b0c09f3exeexeexeex.exe	92
PID 936 wrote to memory of 5068	936	d5d7c65b0c09f3exeexeexeex.exe	92
PID 936 wrote to memory of 5068	936	d5d7c65b0c09f3exeexeexeex.exe	92
PID 936 wrote to memory of 2044	936	d5d7c65b0c09f3exeexeexeex.exe	91
PID 936 wrote to memory of 2044	936	d5d7c65b0c09f3exeexeexeex.exe	91
PID 936 wrote to memory of 2044	936	d5d7c65b0c09f3exeexeexeex.exe	91
PID 936 wrote to memory of 832	936	d5d7c65b0c09f3exeexeexeex.exe	90
PID 936 wrote to memory of 832	936	d5d7c65b0c09f3exeexeexeex.exe	90
PID 936 wrote to memory of 832	936	d5d7c65b0c09f3exeexeexeex.exe	90
PID 4824 wrote to memory of 4120	4824	cmd.exe	97
PID 4824 wrote to memory of 4120	4824	cmd.exe	97
PID 4824 wrote to memory of 4120	4824	cmd.exe	97
PID 832 wrote to memory of 2240	832	cmd.exe	98
PID 832 wrote to memory of 2240	832	cmd.exe	98
PID 832 wrote to memory of 2240	832	cmd.exe	98
PID 4120 wrote to memory of 4780	4120	d5d7c65b0c09f3exeexeexeex.exe	99
PID 4120 wrote to memory of 4780	4120	d5d7c65b0c09f3exeexeexeex.exe	99
PID 4120 wrote to memory of 4780	4120	d5d7c65b0c09f3exeexeexeex.exe	99
PID 4780 wrote to memory of 3656	4780	cmd.exe	101
PID 4780 wrote to memory of 3656	4780	cmd.exe	101
PID 4780 wrote to memory of 3656	4780	cmd.exe	101
PID 4120 wrote to memory of 2160	4120	d5d7c65b0c09f3exeexeexeex.exe	103
PID 4120 wrote to memory of 2160	4120	d5d7c65b0c09f3exeexeexeex.exe	103
PID 4120 wrote to memory of 2160	4120	d5d7c65b0c09f3exeexeexeex.exe	103
PID 4120 wrote to memory of 4452	4120	d5d7c65b0c09f3exeexeexeex.exe	102
PID 4120 wrote to memory of 4452	4120	d5d7c65b0c09f3exeexeexeex.exe	102
PID 4120 wrote to memory of 4452	4120	d5d7c65b0c09f3exeexeexeex.exe	102
PID 4120 wrote to memory of 1828	4120	d5d7c65b0c09f3exeexeexeex.exe	109
PID 4120 wrote to memory of 1828	4120	d5d7c65b0c09f3exeexeexeex.exe	109
PID 4120 wrote to memory of 1828	4120	d5d7c65b0c09f3exeexeexeex.exe	109
PID 4120 wrote to memory of 3100	4120	d5d7c65b0c09f3exeexeexeex.exe	105
PID 4120 wrote to memory of 3100	4120	d5d7c65b0c09f3exeexeexeex.exe	105
PID 4120 wrote to memory of 3100	4120	d5d7c65b0c09f3exeexeexeex.exe	105
PID 3100 wrote to memory of 3752	3100	cmd.exe	110
PID 3100 wrote to memory of 3752	3100	cmd.exe	110
PID 3100 wrote to memory of 3752	3100	cmd.exe	110
PID 3656 wrote to memory of 2632	3656	d5d7c65b0c09f3exeexeexeex.exe	111
PID 3656 wrote to memory of 2632	3656	d5d7c65b0c09f3exeexeexeex.exe	111
PID 3656 wrote to memory of 2632	3656	d5d7c65b0c09f3exeexeexeex.exe	111
PID 2632 wrote to memory of 4524	2632	cmd.exe	113
PID 2632 wrote to memory of 4524	2632	cmd.exe	113
PID 2632 wrote to memory of 4524	2632	cmd.exe	113
PID 3656 wrote to memory of 2248	3656	d5d7c65b0c09f3exeexeexeex.exe	121
PID 3656 wrote to memory of 2248	3656	d5d7c65b0c09f3exeexeexeex.exe	121
PID 3656 wrote to memory of 2248	3656	d5d7c65b0c09f3exeexeexeex.exe	121
PID 3656 wrote to memory of 5056	3656	d5d7c65b0c09f3exeexeexeex.exe	120
PID 3656 wrote to memory of 5056	3656	d5d7c65b0c09f3exeexeexeex.exe	120
PID 3656 wrote to memory of 5056	3656	d5d7c65b0c09f3exeexeexeex.exe	120
PID 3656 wrote to memory of 4364	3656	d5d7c65b0c09f3exeexeexeex.exe	119
PID 3656 wrote to memory of 4364	3656	d5d7c65b0c09f3exeexeexeex.exe	119
PID 3656 wrote to memory of 4364	3656	d5d7c65b0c09f3exeexeexeex.exe	119
PID 3656 wrote to memory of 3788	3656	d5d7c65b0c09f3exeexeexeex.exe	114

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5d7c65b0c09f3exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d5d7c65b0c09f3exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d5d7c65b0c09f3exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d5d7c65b0c09f3exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\pYgEsYsU\UGcsYQMY.exe
  "C:\Users\Admin\pYgEsYsU\UGcsYQMY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5012
- C:\ProgramData\GgEYgogM\DQcIQUQg.exe
  "C:\ProgramData\GgEYgogM\DQcIQUQg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        8⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        10⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        11⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        12⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        13⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        14⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        16⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        18⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        19⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        20⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        22⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        24⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        26⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        28⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        30⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        31⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        32⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        33⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        34⤵
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        35⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        36⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        37⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        38⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        39⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        40⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        41⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        42⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        44⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        45⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        46⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        47⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        48⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        49⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        50⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        51⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        52⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        53⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        54⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        55⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        56⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        57⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        58⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        59⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        60⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        61⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        62⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        63⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        64⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        65⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        66⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        67⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        68⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        69⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        70⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        71⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        72⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        73⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        74⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        75⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        76⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        77⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        79⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        80⤵
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        81⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        82⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        83⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        84⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        85⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        86⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        87⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        88⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        89⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        90⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        91⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        92⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        93⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        94⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        95⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        96⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        97⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        98⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        99⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        100⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        101⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        102⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        103⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        104⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        105⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        106⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        107⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        108⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        109⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        110⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        111⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        112⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        113⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        114⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        115⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        116⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        117⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        118⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        119⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        120⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        121⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        122⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        UAC bypass
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        123⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        124⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        125⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        126⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        127⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        128⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        129⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        130⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        131⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        132⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        133⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        134⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        135⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        136⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        137⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        138⤵
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        139⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        140⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        141⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        142⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        143⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        144⤵
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        145⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        146⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        147⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        148⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        149⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        150⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        151⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        152⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        153⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        154⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        155⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        156⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        157⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        158⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        159⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        160⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        161⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        162⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        163⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        164⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        165⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        166⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        167⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        168⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        169⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        170⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        171⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        172⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        173⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        174⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        175⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        176⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        177⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        178⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        179⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        181⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        182⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        183⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        185⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        186⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        187⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        188⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        189⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        190⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        191⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        192⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        UAC bypass
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        193⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        194⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        195⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        196⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        197⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        198⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        199⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        200⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        201⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        202⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        203⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        204⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        205⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        206⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        207⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        208⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        209⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        210⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        211⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        212⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        213⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        214⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        215⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        216⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        217⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        218⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        219⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        220⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        221⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        222⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        223⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        224⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        225⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        226⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        227⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        228⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        229⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        230⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        231⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        232⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        233⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        234⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        235⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        236⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        237⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        238⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        239⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        240⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        241⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        242⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        243⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        244⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        245⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        246⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        247⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        248⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        249⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        250⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        251⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        252⤵
        
        PID:2000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        253⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        254⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        255⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex"
        256⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex
        257⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkQokwIk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        256⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmAwkwQI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        254⤵
        
        PID:2832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwYcgUEw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        252⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQUYYwcI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        250⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsYIowsc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        248⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcwQkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        246⤵
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSYYMIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        244⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayIwQEIk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        242⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgcIcwoE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XakIsIsw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        238⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUYsUQEM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        236⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUAosIok.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        234⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIQAMIEI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        232⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeAgwwEY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        230⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKQEcUcc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        228⤵
        UAC bypass
        Checks whether UAC is enabled
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KukEIMoc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        226⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIsQYYsU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        224⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeQYUkIk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        222⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgoUQcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        220⤵
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqAIMgoM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        218⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyIQwMoE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        216⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:4320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        UAC bypass
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoAEwwso.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        214⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWQUMYoU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        212⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYgYMEYU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        210⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCUgcAAU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        208⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgUwQAwI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        206⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkMQwgMM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        204⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOoosocE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        202⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUkQoEkY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        200⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        202⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VowcUkUc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        198⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIUUcIow.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        196⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgooUkss.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwIkgMkk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        192⤵
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        UAC bypass
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:2592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        UAC bypass
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nygUEkIk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        190⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWkQgMIU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        188⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoIkccoM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        186⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McMoYUIU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        184⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCIEQoYY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        182⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsQYcUYs.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        180⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMEowssU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        178⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKwgAYUc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        176⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqIUYYYw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        174⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCMcQccg.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        172⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEokwgYw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        170⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scokooQY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        168⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DygMoAwI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        166⤵
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        Modifies registry key
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\segUsEYY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        164⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weMUsoYE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        162⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwoIMowM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        160⤵
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        UAC bypass
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gawgAUQw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        158⤵
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VowcMkEk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smkoYEMA.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        154⤵
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UikYYEgs.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        152⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqAcssYo.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        150⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOckUQws.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        148⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuIMgcsE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        146⤵
        
        PID:2992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmEIEssc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        144⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQcIUwog.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        142⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIAMEUoo.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        140⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYggMYkk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        138⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUgUosAY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        136⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:3568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGgkwEkw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        134⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEYEosIk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        132⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgsgQYok.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        130⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAMAoEUI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        128⤵
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOgQoAgA.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        126⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmgAMYgc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        124⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOUoYokw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        122⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuIwskcY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        120⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCsEsgwo.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        118⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAskYIIY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        116⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgEYQYMg.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        114⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYQcIoYc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        112⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAkEkwkc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        110⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        UAC bypass
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYoYEYEM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        108⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAYwcwgI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        106⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiEYkoEc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        104⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suwQAYsw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        102⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwsgEwYk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        100⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSMQsMYA.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        98⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        UAC bypass
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuAUcIMs.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        96⤵
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyMIQoAM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        94⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwosQkIA.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        92⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKcEMQUc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        90⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcAMYMIY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        88⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCkwgkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        86⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISkkgoYk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        84⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeMsEYwc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        82⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkEcAAwc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        80⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUUMIwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        78⤵
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCQIwoAM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        76⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaQkQwYk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        74⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOsEMkwI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        72⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DekkUggY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        70⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAoIokkM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        68⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaAYsMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsgEcwww.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        64⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqsgIoMA.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        62⤵
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYMkMsQE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        60⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEIQcsME.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        58⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        UAC bypass
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCokEIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        56⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JekoQoEA.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        54⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGkEwQkk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        52⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cawgwkUA.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        50⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwosYMoE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        48⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meocYYks.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        46⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkYsIUgI.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        44⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCYocIQU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        42⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgkMwAEY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        40⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGIskoEE.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        38⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkgoYUco.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        36⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqwwQcMk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        34⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMUokwQw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        32⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niEIsYgw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        30⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAEYcIso.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        28⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KocwUoUc.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        26⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOkQwkMY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        24⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKgcokEw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        22⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCsIowEo.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        20⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUoUkcgw.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        18⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcsIcokM.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        16⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOIccAQk.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        14⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCsckUcU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        12⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaokwoMY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        10⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQUIMUQY.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        8⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcoUQksU.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
        6⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:876
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4364
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5056
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqAEkYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3752
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TggYEIAg.bat" "C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2240
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2916
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1376

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4748

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GgEYgogM\DQcIQUQg.exe

Filesize
201KB

MD5
a091149f954330bed9b5d6bed527eb54

SHA1
7c3fba370d733f91d760a84b87673c109b73aa63

SHA256
d530a8ac2e9bf69e37baeeaf4aca11073537d26e25c55aae20809fb791be84f8

SHA512
9b2bbeb80d082a8c4aa5b02333f51973831d216a7dca64bbd120a9fe8dd973859d0209f38b12eefe371715cf51bcd83e2029411225529d23b3c71565f6be946c

Download Submit
C:\ProgramData\GgEYgogM\DQcIQUQg.exe

Filesize
201KB

MD5
a091149f954330bed9b5d6bed527eb54

SHA1
7c3fba370d733f91d760a84b87673c109b73aa63

SHA256
d530a8ac2e9bf69e37baeeaf4aca11073537d26e25c55aae20809fb791be84f8

SHA512
9b2bbeb80d082a8c4aa5b02333f51973831d216a7dca64bbd120a9fe8dd973859d0209f38b12eefe371715cf51bcd83e2029411225529d23b3c71565f6be946c

Download Submit
C:\ProgramData\GgEYgogM\DQcIQUQg.inf

Filesize
4B

MD5
65e316dc6e14cad185f5f951ea2ab923

SHA1
a4ca0c02b31f558cfa4002f420abaec034289937

SHA256
e4e5ac0a9ed2bc778a18e2bead64f645688fc825512416e9335798a6ede72969

SHA512
a24b1ba8c995b2588bbadd23fcd9965f9f1f070fe21e80f3acc8eb36dbcfb53be029df7d53d64a8b24a4e961c1f237d3abca46e0df1388a05a63501f324a386f

Download Submit
C:\ProgramData\GgEYgogM\DQcIQUQg.inf

Filesize
4B

MD5
ef45fc19e4ede0b50c6f41bcd1ce1206

SHA1
ed54105f7ac65b09f972b08036f60012d107f57a

SHA256
2462b0ac857d757f956e14621e9a4f60d837f722dd553165761bfb5ac3e77663

SHA512
bb9446c9d91f206270c6dbd6bd3d4debdab4ffc78a35a417a311a3cd595360a89a3c0225bfe1d2aff969c0d32782698137b0e75a3a42db43f3776b2a107e17c1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
329KB

MD5
79d8705636e3060f9417a044b9ea3866

SHA1
489fd44da44251e68431aa2ce1e3dfd124e1aa24

SHA256
83f06e5dfa24ed513038c735cd835e0d59c9aff67ee2eb3b2689da64fe540677

SHA512
a42ea7c54ecc3902c0504b0f3ae82d59be6d18765de71719cf3f975e27b472f10aa926bcaf95482615d9f658c904816e0ab1e0247710eb9f6326c9c13f08a809

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
222KB

MD5
911092ca47c686fdf97909cba4a3932e

SHA1
d5c7bf517b8e7ced7cf113967e83847eaab70137

SHA256
ac2bd0b69803b201a333d1f4d36b4765aadf3512f7ffdcb95ea789af063d740a

SHA512
9cd2cfac3a35406e6f647a3775dd64e231b65626d50688f6148be7bd82620ccd5bb6738f68ead2a53de7d288b943378c3f97c8af4d06459c3c587f4296bc1f23

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
320KB

MD5
ccca4c9bb9949cc8df42a4f3551e4fa4

SHA1
1bde49fae9fda77ab5e56c4666e78ca121f85fc1

SHA256
d1a38a5792a555e1465a580f02dc03a9c4025f4fa3b26811769f6bc4b6209269

SHA512
9cd2b6849d73a7238c6845809a08f0ee83be19a10d49e8e7a994c675bdfcf1bcc8d287ca0ae8badfb96be4cba08941738bc08d6f6bddbb75b5f3298c747af6db

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
652KB

MD5
d001a2f9a4a96e056c57e0c9c91005e5

SHA1
e14f9237e07510ed8c88c0379d6413e252134a9c

SHA256
74ba6b1e0297651d7160cba9bfa548b07dfefecdbbc679081823aac1cd5016f1

SHA512
9c2b1d0d89f3194b1aea873e07b71b1fe62672ffcfadd7d3a085326ff877e20658ffc0a3a7232b9f736b1b8840ac0801c9cfe5db6aafbf12cc916025ad37d7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
223KB

MD5
1b37b888880470ea6a34c6a23d4fb9c9

SHA1
72a926d4c399c3926b2ffe9447b62dd758aa7da0

SHA256
d0dba3e533459a0e7fd1233cd44ff2900e64a43165c0e910a930e5ac94fd2387

SHA512
858fea9a4555a248880d13b9429be59ecad54084db36dae170953f824c8c8c85d6313e84a801219c7c3faa45cc683869f106375186f8187b94666d965703e7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
199KB

MD5
bc2a9796432b8fca28cf3ecb30a4c804

SHA1
13b4d566a289576e1949fec9dd52b0c203138d9c

SHA256
84199e98a2bfa2e54da0616e1d78641b4492ad64689372bdec7aa61870b3c23a

SHA512
9b043ca558581066184b995ae8f498bccccfc135caf61d72e88285fbc9abd597e54a6cb8c82872a1592472d3a8794b160ab62701816711177e830226e051d673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
184KB

MD5
d0f7f9bbfd5745b63d1711c9bec1bcfb

SHA1
27d40bbab487568e7cf753eaba75803a267c30df

SHA256
a126809b883521a29d23c9941761eb9bd376ca7bb9a89bf14fc4cf23194feda2

SHA512
301478e4e7366f00b1bb3e3d324488b0da388bc028f6577eaa21cb072d940a1cedc0cf286249323402195e9eb0d3f61be6bd4c22335b5179714d794a69e6308e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIwm.exe

Filesize
791KB

MD5
75c0c973aa8500130248af3f241debcd

SHA1
d409959a35dcbe32c5af4f009442ffd89e832f9f

SHA256
debb46a31b8664de72b85c9ef76c8b12e1b09f51b0bd5d181ac609b70ee299c6

SHA512
8100dbe055c5c55c26af834b7c0db16cd63a999a799bb1bf1e14c8ff49771058359020de54816025e0c955a9e2aae0bfdce1fb559c48f58732a6ef48fd5ac370

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAAY.exe

Filesize
318KB

MD5
eff0c024258920ad8c1262281c8319f4

SHA1
9172b9610088b2836479b00dfa7a405f2f273219

SHA256
9e14e9f7524cc0e5194bd5e5ce6406fc0fc358cb8db0fd9f3cff4ce8b80ed1bd

SHA512
f6e088fe55b17820798da806f2232a380e80d4622e183189a85ced24fe3812dc14c3268519a10b60fd7226b2f20c00efc81fa6ec7e588bfef66dd161b4852d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIse.exe

Filesize
203KB

MD5
222182bdeccd957589ae6377929f49d4

SHA1
1a4e9c7e13abcf7f275637f07ca73a14ffa2f34e

SHA256
78f32b5382ed445b29f52a429bbb59e7f7e5279e5a5de648a12f9a234f924f31

SHA512
24b80683b66b4654186a98f1d1338b54cd991b84d4cdeb131e668ee4dd5e9f4af06f0a7ead7d6b1ab172a5b49168094615bc133d46de95a878bd3121bf3fe615

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUkY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYIq.exe

Filesize
891KB

MD5
f1e3d783b0f73e512898ec330fe24b4c

SHA1
79f9bc4fd6fa0b815f7f7502e8b52c1377ec8902

SHA256
522356d564f965fa910253fb4c712c36f3f6219016fdf961525a47719bee3dc2

SHA512
fef0e9b0157fb11dbe12aa404a4c9cacf392cee2189f9025c0f7840b4f08932da7dc0dac55e24230024a6099b3db965b67ff597a0e2f7a6e71821395fb23bb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwYO.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqAEkYsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAQa.exe

Filesize
458KB

MD5
37abb45788d9c5dcded34135c91f4baa

SHA1
7cf27d6973f4b4da81bc75718629251a6f272528

SHA256
f44818dcce0bbb1b9880de66152c09237990500138b202e14f69d5adaf0da570

SHA512
3b9b6967b0fed5a0097c7f2e7889a3af0aaa07f6a8ff6676eef60391802833580e8580819f64d82c4146beaaa0537700104fe29ebb95d5ed931542c22ca836e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGIskoEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgcO.exe

Filesize
417KB

MD5
5d32cc850df689a74e6fd30ecd4386e6

SHA1
82b8f1d3c9de4090fcf68aadfeeb2913b0362bd0

SHA256
325af3c64bacf2fa9e5316beeee4b51bf6840b9e48f3e65aa25caec54c415dcf

SHA512
a07784286c97f34c4c06ba0461a3988682336eee41d5eafb57a7288914c9324679c618826609f75845ed0e983c8a675d4c2e1dea86415365558134e7271bb222

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIEK.exe

Filesize
1.8MB

MD5
bedf552742c4a14c8dc661174b335791

SHA1
b315e753537df1d3ae629f4c44e39c3afd1adc32

SHA256
3eae8e42debbd7172faf2ae47136bd0ee7e9f89a3e36a1a519c12f4569a618dc

SHA512
1e2afc5ab4591205d63f0c1945a3b2bda6946f9c1d6015b24fb665a962b685e11330a624384c7ec850398111c606b95d6dcfee5f1c0c10b33839f65836b42235

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcEG.exe

Filesize
210KB

MD5
4bde4a570cc97670e6bcae8acb2471fb

SHA1
6ce3bc4f0f1fad16217bb0615f21204c21cba2f6

SHA256
10c17a3b6bb6ace9db8fef17d27ac04816e1e1142d9121464100502fc3bf374e

SHA512
6ce8fe4a40831d33e03fab441c86381d921bebd763d1d481b1b71fa6f6f6fe3ad6891b47b1714d9cff3ff6c050132bc72e1d8d0cd6fe0e1f7503a855dc77a081

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkwA.exe

Filesize
187KB

MD5
29abb04a30b15b625a047990b1a4259b

SHA1
0a008b67bc1806e04619446ecbc059cd5747ca41

SHA256
f7cabe7e412edf2abef81e72906dc9eb3becf9f409c8453dc137c2d846450e83

SHA512
15bcba622d0510a7ce255f6ff844c6d9873ab99e6f0e25869957e72829e0de1e08f4c738c1a3d3bcf68d366603d7b63d23bf7488759c231ed5c96cecc5b629ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMAk.exe

Filesize
404KB

MD5
52e4c3bd76d0d7b8105a98034fe2f336

SHA1
ca584688ceba1c8c32a2bff09baabc6926f22b2e

SHA256
7da97f9136ce61b238b95322e0c659e92b34c6d85ab83e6daf1212c7272cb775

SHA512
f1e45525e49750c5449721be55bf242a47d02e7dbc70890a91299ddd2d1c848626e47f3fea5863b7757350ba73f0062da049879c85414bf3a330eed03fbb9e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcki.exe

Filesize
201KB

MD5
8957a9662f70511b6123dd9434bcc014

SHA1
76889ef1d2f5b9f0c6f1268c04c724133a5be7df

SHA256
b9501959f5b716bf6b8bd43abba7ede9b1583557e0afd26251c46c47990684de

SHA512
7ae477667ce68399b27d8faf8b4f8b015c1344b5c4e21407a3f74d48aa0c42dbffc95a2954402b011cfdfe8ff791efc4ef616ac22deeac0d00f286b523525dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAos.exe

Filesize
206KB

MD5
54f9fccd8a60a7bfa29271e7f55a837d

SHA1
a77bba260387603705c8fa1e89ae0cd556f50c62

SHA256
61f194b532ba83abe95fc13ae55b80a42409a25caab05e3a6c852293edbd575a

SHA512
c4efff8456a06e1870a0e4a0841b85e1d0a8c1256f6d9db4050e3a6c824557b503205bff2023a7cecb97cfa2658300b24b4d5217bfe543aaa7773912db2b45c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIMW.exe

Filesize
794KB

MD5
7b299546bbd5fc4d02d14ff0db10c24a

SHA1
b50ce85b88ee5af54fc1b1b5b886a6056fb8a25b

SHA256
a68c70ab32b0808820db6354e879826f93e33c4a93df09f384387d2f719e848e

SHA512
f195ab7dd7f0dd23d241da4e8261ba984d14690f7cd94df3a24982b5564240bb2337e49ca4ff1e895331de931c70bfd69d80314802907a9bb0091e968662a967

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUIE.exe

Filesize
260KB

MD5
117167f57bcbbcc69098caaf3dfeea39

SHA1
cd834c3fb363ec98e18415a00fa85cd7f5f2cafc

SHA256
e7cf43d5d45b09be678d41d4af247ccec90c0c88a362564b431c085763e3f323

SHA512
a286498b2d8873ea671ba25d5d5dde9160c4bd6c4b08e0916e7e6a7ff65b2de4e97f3ce1ab344f8797284446b7f95a22a0f4bb05f9bd236208d6a675344407c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMYG.exe

Filesize
768KB

MD5
74baebb5efb15b857f368dba49edcf86

SHA1
0ae7ae9afcbe32adb8794e857840814301366010

SHA256
8150392bbb8d95a9c0ec6ac8a97cef7867487b35f53a4108748bd43dcaafabbc

SHA512
8fc753552d3cbdcc8eac8f6d3473fbbbf6733d888f59eb0f553ac008ad8c3385d62e172294225c6445bb713cd0f090d23af4b42d22545cd159349601d507084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkIi.exe

Filesize
196KB

MD5
4c8b3f852c73859053f655d16f719b8e

SHA1
c7bbf2d8e420cb165b1a1099bf89e2b5b7ad57e3

SHA256
b1fe82bd81f29dd2e6db0892c8ca5b9158b2425bf4745d8568e7a8275445c9a8

SHA512
493b267a2e19d93f257756452bdbd293656331d439f308317b6bcac5226cf93fa15744192b72239e9cfade2d76093fb3a077ba2bd686aa24965d8d08b79da954

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iowk.exe

Filesize
464KB

MD5
b058caf2a8079ba73638d29141700586

SHA1
7634102a80aabb03a5b5a361c961b7a1cc725277

SHA256
ede31ab7b430158d1e8a7b4fda338ea6ac048a0c9bc8d6da690a64fc5bc5b3c5

SHA512
02e4ed55576a320b2eaa298f7b240d9f36330859852486b46cb8157c1560e96d58d1a26796f75eed1c0f8d06fc199d8a1cec24dcda27476aa8b4830ba68505ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsEm.exe

Filesize
225KB

MD5
df38faca72dd33d661a854c49ebc467c

SHA1
3915a36e00acc9f1e8575b0256189af107fb2a77

SHA256
3ef69cc743ab9fa9a580699f993e00b1d242c2dfde84c7eafe0732909e074678

SHA512
eddad6acfb7402af5840a8915741cb1574268a31d0504b4dcb3c8e9558d0d15edc07e9da7cd7519e706f32280eebb61912c05973452f82fb7e93f4c6e83142ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkwE.exe

Filesize
824KB

MD5
7dfbef10148074c5293275a925e2d3bc

SHA1
49846198ea9b423bd24bb618e1ac7da2a18c974c

SHA256
07596c02ed142a14a53c1f946ed24d084cf4ed98fd100835811d83f015d4db61

SHA512
de1c4134cd4613948ad3fdfeaa59ae3f05892c120def71b75faa59ef4070a5c8db09c26083b00e31c68827b21d81bc4356c8123ee4a5dc928cc6c32505711f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIcw.exe

Filesize
194KB

MD5
814a1471f48ddd1a9ec82da38931be42

SHA1
80cda61da9c91fecea389496d0efd6491e52915d

SHA256
5dacd2b6266ba4110e04575f0b530ddafc9cdd894eea4e752f74b3cce41d8fa4

SHA512
4123b3a38f3022dcc2f3708d6a2ddce77a32e0651b2bedf99b215e7a1cadacfc4be38cf9c96aa94e9f2911ebce07aeeb3e3a4a48fc5a273b1f8bb374a99bf3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kccm.exe

Filesize
202KB

MD5
87587236fbe068333e5bd85dec27955b

SHA1
8ce6473a3b2236ce71c5c32700ac0739fcc3f0fc

SHA256
4fb36e055a83ecae460c81427c2c24c4f151b59d4e19f5b1d45e4dfee1cc74ac

SHA512
8200ce892f3fd8f6c8a35c941bcacb66a020618946e6e77ef0374f6f298d2c6afa100abc45f048b584e9860060a05268c3d843bcdfbb63fc5535e68c94e6da4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KocwUoUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIa.exe

Filesize
485KB

MD5
9226b06f543d4365137648f6494dce3b

SHA1
9815a1b607cd81d1465611b7dde06325e7726814

SHA256
419b7d537ab6cb5920fe7fba7799bf402659b80c9144abd54c40e443308ce568

SHA512
842363272aa73a0d6ca646c01f07da93e8cbaa41653e2398eb9349a5833594bebd7a58c9798691be533eee91476af59af85731ae92d1d81656cdf3ebfcba0852

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUc.exe

Filesize
838KB

MD5
f4913ef68fe9b2190dfd3a85c306bfc2

SHA1
d3b4f11ba69c7fad807ba0a5e84d8c107ae2fe67

SHA256
bf8ad8adf63b288fd99c351b36613f8f62bdc9e612a412dca4f7827ab06ebfba

SHA512
67f8d0b02aa0a8e28e8e7108e4cf3f4fcf6c1011247d34ad7c73d78100441358f4416426646fd287e0188da6fa3871cd73ea6584d8f8eedc8455e1beb8d28ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAoc.exe

Filesize
582KB

MD5
2080304010397c1eb237e2885cf7b241

SHA1
fc9d3b7c7536681742fc34ba5d53d53d1cd9428f

SHA256
e26bc3b23e0f0260212694ff8c176324eeb4ba4a1047a7160ac457e7e0964435

SHA512
335ddfe4a3549f90f9733a04bc0c8425bcb282f00ced22950df90669511b76a22f42b31d4bf0fe2fef3ae34b4e762a9d845f47da86a3f0700790a5a982a06d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMEK.exe

Filesize
201KB

MD5
a794ab6d97f5e603a94130e8955915d5

SHA1
8a0be818f8b51cb3d9aee43e5f7b0f8bd0ddb3fa

SHA256
85ab804d6205127b121c6f725e8616e0a8f592d9d584f3fca0bd09c988aff64e

SHA512
736c58d51d32affdc8ed54e8d84b8c11229974747cb8f0fedd7adc9f3f37ffc07c8a27080a643779be8d354f963e9f2a7ea3bcf598c611ded2f716e8e17a3cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQMu.exe

Filesize
208KB

MD5
0debf7f83daa1f6a024e349850b6ca62

SHA1
36e8ff2998b891fdc8064106c5d53d73943aa524

SHA256
15ca09ecae1da3e086173b9c3dcdbcd99ee307e5c245f48fa1588e1131e3352d

SHA512
24163fcc264c211a2adc36b43f847cb0928d2f1a6fc451d5a5ed8272fe23e3f9bf32d1f658753269e2d2f7aae37a2cfc8e843a2d461e9d76d7e86a8cbbc51de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYUy.exe

Filesize
235KB

MD5
3e223647892ba7c0316219b7b554179b

SHA1
2ae739d477c4ec1d67d3e233b79ced4aa1eab2cf

SHA256
d5c5e48f5785035a6c1a7a85fb567e688b21e6249883f497b4a1b5e90afada43

SHA512
97aefb0a1800f64b740ba747bb80a686d725d84ca8adcda90fb541ff99c6f6d5e14689cb6689609be071bb119e3e8ae9ec17bb074c02f5504ae2692ef313b350

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgMS.exe

Filesize
183KB

MD5
b81a9dc1c12e5e135e81c0fddc6ff732

SHA1
f959d788e6f7b3ff833f710809b6fbc3a593df09

SHA256
67b2f36b8b70d20b17c21695abd0a447f8aedb460b68b68a925804ce23c097b7

SHA512
d203a3028d6a6d5ee6355e959aa0938da29e1c9fb7a8f33dc5a85c50fc7d2af164c2759c186d2c737505cece5a8f06d6f10401ac92f8d83224a322acff04d6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsEk.exe

Filesize
197KB

MD5
8c8bfef45bca4862eaecd4e4c5fc405d

SHA1
249dfabaf38741fc2223172875cb46ac8f0c7608

SHA256
47ca8d83c9bd3e3c7a6e7e9b9aeaede2add254cc6a6c765eb754ffbafb6f1ae1

SHA512
99a789caf6790e4bc3c4530fbe344024b15eb1303859537e2c9e47a53c0c8677d0534fb57b998fdc756ca6321e1d81e9882808b1e9536735b9ed13c63100035b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwoU.exe

Filesize
186KB

MD5
33ff8b14e954ea3b032dab86d4453ad2

SHA1
4e80f88a4eb02abd3ac657a8a648f25269e8d1d2

SHA256
fd571f6e2b5019c9d095b8ecc68de5e80dcb03aee6afc6ffe553dac3358c97ad

SHA512
a0fb66846ce8aee8a8863ee679bd8bfcfcad772c6af273343265c34f978bbb1a394c30c8f571014bfd434227a61fa21e39be08de0673f5fb0ecfe91bcbe30077

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMwM.exe

Filesize
201KB

MD5
0536d5aac91038e7abe05fc2a0c08b54

SHA1
3d7a9d4b9a39a87753067e9d804d11c6572fb5d4

SHA256
1d6db06b357b7234ed19e334174f779b1d91a210f9e0fb1c3ee34a00af8a49ad

SHA512
b9c34c2ffddaf7f2374224f6a4e8c65802e54d4dffeb4b8150b5e3c8d1fddcd99017ccd86a7e6b78a7c918fb3bbce5bda85e5e0e6b7b7f2a338f4766b818f26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\McYq.exe

Filesize
609KB

MD5
2b1519d9847c1669123cda8ecd0842a6

SHA1
381c3c105d83266afc6ecd9c759ee4c96366a5ee

SHA256
50d381c348a86cb104dad02a8471b53c4fb275b73190e665be9a8a762b74d832

SHA512
613288f00839d1abd991bad2a196031e11d98ba4bc92bd65ab10bb062ae743fe2e2ee0df5d5f4a9ed74cbf3962b13569fb698daccbe674f3c31e8b852ae0c8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoYi.exe

Filesize
189KB

MD5
584cd735195cf51dc69f5a174b2ef807

SHA1
40302a1eb282ae37a21322076190a72aac71f137

SHA256
76eeaeac45d618ffd59f0d7f93429150de92ef3a880c0e1414391768d026ab4a

SHA512
442cc2301170dd9cdd0d046b02dc02ffcbe10027535844ce99cf6eb7159553971350778fb8c9e4b925cecbfa75376961567211e0d23d62dc5e07c6aa5c648960

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYIS.exe

Filesize
430KB

MD5
7b650cecb29f58eea4c6ae3a8b42c6a1

SHA1
da52cb3d4d5f5f9f8cc6fb590043b4b74c8dbf25

SHA256
90a61ac38ba981fe381638f4a40697afd161f1f73d37ae782e2a8243a64956ca

SHA512
056227f59b7649dcf34df0d6a8deb779d5e3706859416f6040396203a4a141b26057be41c940ce4ae1457f41281c90f4f03b4a72b67ee04c56f12cf62f6552a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkcQ.exe

Filesize
400KB

MD5
5b69411d8784ffa51876e4ef787670a4

SHA1
fe11cb744aa92328143af1643302fa2b8b9787a5

SHA256
5f3797826c902427533e724504e7000e970ce5c58289a83d378e038c41c357cd

SHA512
de504f650f4ad21e5644ed9096707bd8efeb93ea5e3a846418d848b0b0ed115f4e2a87dbb97de95687b497d647731610913ce92859585f29cf5c1dbae7993e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsQy.exe

Filesize
578KB

MD5
a61bd235ab204c5fd092d6b4141cd019

SHA1
3c7ffbe460217cf5896b6e245578579bcea8b28f

SHA256
84db92218d0d3fe7221440e4061e12617bdec38cd7f60cd420ce049f26788a3a

SHA512
624cf0d20dd69d263c9697580e2bb31cb000923af0b1bbae203cbdd34424718b8d0c3b513fbb0086c6bafb6e94e3197c3acead55cbc88c72f2ab0e2c6790314b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwoS.exe

Filesize
206KB

MD5
28f5b2368d02cdff3ce5940781b0eb91

SHA1
3c9de181ff0e105319aad75536eed15ea8ec17c6

SHA256
9d687456392043e0f2d99033c2f120494210a8342a69cb366197a7f8f3468f28

SHA512
49e56bda25be92aa585ddfddce5ec5c8eb712f56ac8b6da4d6ef913600fdf5f60c39d13a913312f01271f5193755cef277cdc1abd167f19fd11eba6234d52b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMYc.exe

Filesize
198KB

MD5
4f6ab120c22a0e31403141c398f185af

SHA1
23cb62f92025878a6c3a491f265b17cf5d2ff067

SHA256
0074d135a81ec7c63715d9829eb9b217d729438b2966d9efaa476361a8462ce2

SHA512
bfa10653d5879867492b02658fd626205cd8dea3a87e03888dd534c409d7121d729e244b14448845c1a0a8a3081f444dd477859853715c01148f7a1f3365440e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQMw.exe

Filesize
522KB

MD5
93423ceac641d7396682b2c343821b8f

SHA1
e432ba2416779c793b71b2d24ef708065e49dffc

SHA256
bd36775627b9fd3468dc30547e91bbb2b6596bcda9f993fe30c725f01ebbd12e

SHA512
c84da205cd2c5f107cbe7bafa3bd1d14e94771a4617c117c7e253c4b35267c9d2eeb1f252f6bfd057c0f3a2270a48c972a289febc5d788fb38ddc7e09e23d703

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcUQ.exe

Filesize
200KB

MD5
9a02d44d3df61249bc32de578b52e8a8

SHA1
8ee6157501e2a925af966d1e80758e872209ba84

SHA256
c037c0f8a2d3b635f729e25af4569304d7cff8aaa338d268982f68514a2ad63f

SHA512
dd1476878a77730298c8293466a3395b59afedbc3c40a8e905d81269a6c5e7f7d4220c545e1aeb6772347aea4ab0de530f5cab71e418b5969e0bb538412c95ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoUQksU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoUQksU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkka.exe

Filesize
412KB

MD5
1522b6c0f966241133ca7dc79dffb646

SHA1
d060679e77db5dfc474aa5f8d8da72e7a7facda8

SHA256
a09d416471a6783eddf8560a0b9726af63858ba2f2dbb46b3c2182d69f90c9eb

SHA512
f1a68ce1d92a5032110361f6b2b996c010af52f22613d3ddc6371d359927ea59f6d2157e0f1d11f9746b43f04a28ee3653f5b9ad2d0486a16ab8f3fc2cc58727

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMEO.exe

Filesize
643KB

MD5
02cac2e6c05a602368a5c4efbdb0466f

SHA1
48bc540d5733c6b54708deb832db9ad694bef371

SHA256
968b7589dc2fec8a6d1c7eb7119eb884dcdcd366ee8dc2251ea010581ad6170c

SHA512
af5d6fcee9cde6782177f349bccc2bf3adb5eadd557c390839fb11838a8aa4cbd1eb5d40898406d4bb482d593b5da7f3d7f5f61bca226eb9089ab5ff1a33a92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcsIcokM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkYq.exe

Filesize
192KB

MD5
20929236c8f3ff8ad3953e1b17059fe1

SHA1
779cc21b338e9754cff7a6077c64f682fe8e77ef

SHA256
b3bad92ebba1d61b0956d74ac7ab584f58b7d1335d337df09bda47712fed08bb

SHA512
147574e6b4ba66b0df3240aaa14918bba3d349bdad1b33d4a628e651ef3e4a190e26222ad92f4e5484b9fbb73e6bbaf0284924b2d74475b242fff70f2d7dade4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAsk.exe

Filesize
188KB

MD5
4729d4e6ad6a154ef24fc444db45158e

SHA1
ca9b215ee7ef35a077c9f0ea64cc8f681878df2a

SHA256
acaac4da62d88f282e421d8ac009151c01cb1ced560fc62a18f5c2d147ada082

SHA512
cbdb49bb0d3efa77261568580ad797ba5502532063b3020e7f8faf8a2ae8aa44f560ffe6522e4dac7a9e99e34099a5f34f427b91d0c7d6a968446c168ad07e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEsO.exe

Filesize
1.2MB

MD5
14721c5443fe04363f2be23ea882aabd

SHA1
119096ebe1ded25386d461a0c8bfdaec34575d1a

SHA256
110f4e00479303cfd48bc8f5c181f941dba4d55a8bd3f491c3c92b84963c4c08

SHA512
6b9a837a8a0884d49aa48eb9fc0d40526ae9037973ce9fd2d94284b285d0f115093d6ff890dd235384d43b9c3a726e3d832cbd9fcea1750025617f12fa26d370

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAa.exe

Filesize
496KB

MD5
abbf9e9dc2def848c282a15bf7522fb4

SHA1
5937bef636ad54ba76bc9835bc09708a4750f27d

SHA256
c1274d91e8ccb5b5cc64f42a80685d654670be20d8c019edc51dffb2d9223b9a

SHA512
6c38a270c49e64622409586f42add112b7e30bd7a1d9baa0556f82d26c34474e230a678a1ba42e254d76d507d22675ec6a229a80cd3cdadc3bdd45f149723c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQga.exe

Filesize
200KB

MD5
41d2469831f1de13d3727c1797383b86

SHA1
b695c463223df15148380be73583a98f2dd297ac

SHA256
99992d5b5746d1be9d33216dc73d55ab48a6bad0b75da26eb4fd75fc8dfa6aa5

SHA512
4bc75f709095e1104cb4c7f6ecfb623cf9acd0edbbd58bc9fc03019bf5677bc164ad48261c92b496df27ef659d6a43b2d387ed8c10bd72ef0c61311bb2d60f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkMu.exe

Filesize
235KB

MD5
d40585b9912332e1a4abc8e61191cd2c

SHA1
11c76569dc932f20665f5c0d49cff80691ea5e3e

SHA256
9de0f3eabdf7d078874fc9654e5097bf29f5f96c0454f3b4fff2fe000a1cf88e

SHA512
0b9b0842c12f0331db4c5a6d9d1fc68fe2e3ffb2b1c234c92a695f6d7a958b0d6f44bd4d073dbb4ce793a99646ba1036458fa40639491f0afa55dec681b89ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEwE.exe

Filesize
192KB

MD5
15f5a14372c9934222340961ce25e2e6

SHA1
f4d9b4176898ccc8da910c2bd806a237bcd59832

SHA256
a68bdeacdfa18bb56d479b3a1dc77a7ce793ef8bdad01c5a655d84cac59f1f6e

SHA512
6e3189b0409949a122937ba15e584f8d2ed33a6c95f175535d1db0d73031fa5be0efabdf38bff7ddffec185ad50a0b2b592cf6364dd8d7c5ef21eb376252d55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TggYEIAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkgU.exe

Filesize
442KB

MD5
d51048bc46e5ba8254ef38471b35359c

SHA1
b93f27e6dfea2f5fd6221de4c9a7fc5108ef1b06

SHA256
8fe8abf8b9d2b5d559aff0459d1860fa1d92f791d0604b83c656adab13322da7

SHA512
c610aeecdde6e9a79b75197c25576922c8434d4ef8893451aeaae7da9d3220ac01f4fcbdd3f93a088b6398aa4f650cb2a2e64437f11e38b2323482003478c8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsQk.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsso.exe

Filesize
195KB

MD5
2b04455ee4ab124a40c69e70997a1fdf

SHA1
a391b7a8bf38349e2b5685968a8bde3d80e52794

SHA256
1e8216a42c685dc99014a5902aea5e7406bbc824ee258e82a2a4fe3fcf30fda3

SHA512
9b525b10d34d053bd83be6435592d6d7a0e73b180afddaff5d3f84e81b9931c928ceecd177b5dedd7441dbc39a502844f8977da5163c0a62ea1ab67b61c9bb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMUO.exe

Filesize
996KB

MD5
951ed37dbdaee4a289914a47be9fe940

SHA1
10b9e5df853e63d6fdd19eb854cd78b1dcb5a8e1

SHA256
126a3380972124ed72eefb619c79d57e30569e0a960f5aa2bf865fc093fce70e

SHA512
8597aa815bf0faeb6211f4f6f2e0e8e8b530b326861cffbb08830b1a528c01f1f2837f293387455e8f2a8d0d29c7b856102d3d4ba7442e11c0610d9d612e9dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYQY.exe

Filesize
427KB

MD5
965fcc91d379d3e23f54dceaace700cb

SHA1
260814aea58cfe9365feb46a382271c5dd14d92e

SHA256
993b71d33bda6d03f97492fd18643c9a23d7d526aaed491b4404a80fe52fe7ab

SHA512
6396e83e6d48939cc1f152faa3eb483d6f3bb22cc41ac7cdbadbbb97d1a9c5342635007f0134719815d3a369e8a8a46ba49e0962455ac2c53bd33bda2ccd1f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcEo.exe

Filesize
191KB

MD5
6356bd0d754f17524eb085b9a84d0915

SHA1
25494d02f53273727d4925e54a84a0d7271f4818

SHA256
110b82d25fc37213d123b209c575475515e5d4eaedead7da150bbf167f44abf7

SHA512
4944d416b6ca6b6d2ad4305fd6a5195e0c1fe7080219d829b32b293595b9bbd23264a35ced8aae6aefc8259b914b84a0deaf09f06be8075fbf2f61ff04b78224

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYwW.exe

Filesize
187KB

MD5
bed898fae5c436711569a67adaa2e0e3

SHA1
287c9d0aa4ac4dc93c36658870aa3fa7a42efcad

SHA256
8a8b721771d92290c6f5fec96aed3f61d3a80455096059f97b473a7aa84e7fcd

SHA512
d5f0c87aa7a8e20264d5f749cc33b71476ec7bec52d2f36dcd3e409da812cd6e775f6ffc4c026d9e86bc6c8bf1a492042f2858292e18b5fcfa6eb7c92b526463

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaokwoMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAU.exe

Filesize
202KB

MD5
54dd2807d25e8e70c8248d67bc1e2bad

SHA1
b95d67048b870a4e0d3ce68ff19afbb968745685

SHA256
88a9125dd1a5e48f4e59fec73bbcad6a59e3a7993b84033517446f9f76387c3d

SHA512
826005c87e3250989c33bf85ff500d45a8c74f11d0af50913abb3e845674ce2f264a25b409711df359d1aa7725ed0d5d6658a9bbca7cf3c1c39c42b1b33f56bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMUokwQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMkM.exe

Filesize
317KB

MD5
04f343cc0b48fa7c280941eed08a5821

SHA1
e342a16007ee1a381f6f596e9ecb0abe3f63c969

SHA256
13641edaeb3e66c4414fb33aba1b6bfa409b6e317e13fd805c53e0528d7cdbf8

SHA512
281c15e0a325e21074f046486591f199bebd09aa9825d1d1ef4c66284a402e92a47f54f0389c3dc8e9e2eed7031f4b80295a66ff5b437314cc2591e4101b8c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQQO.exe

Filesize
208KB

MD5
9a2e82ce3a5930e8c9b8ef2e460eb925

SHA1
63bfce8dd6a458f21184af121687033f8fbcf2e9

SHA256
57c1bd804e4326c35699eb452024ca7d4494d03125cafe26b5af2e342fad6057

SHA512
c6220f452ad5f82382410d86554ed2ca98f94eeb80b773f95773902b852f711ba57d6219c91802cbae004f3a7140e71cd2216e4660addf12462662ace3e1dbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUI.exe

Filesize
636KB

MD5
65a33ee7148f7937314139a5252c9949

SHA1
7a388184341b9ef3013b225281403112c5054931

SHA256
5e898083071c556bb3cb0e6c86f3991bee0b36bdccd5f1b0e942fb9f469e07c1

SHA512
89132eb3e690894715fa5e0b51aafeef94188ae92138041085f99ad3ac3463758d61ecaa40c53002f0744533fbbe6815d16569748e5d4448e26f10d44efaa757

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkMY.exe

Filesize
197KB

MD5
c891d7b2e41cf09e4ccf4b8be5874cf4

SHA1
912fd50ae3001d96e39582434dae4f83ab4d0e31

SHA256
5ef754581292397f0e1cb75cffeaaae3788e49eb0f2e0db1d0d30903e45f4645

SHA512
058e5ac1e1a36038e422dc0b365e112760823a7f9385d2ae9c250eff0ee473522983f8ef441367c449bb8401052b0155917f1a4f75ac221564d52baae5b5f6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoQC.exe

Filesize
209KB

MD5
8786a30a26c998acde0333c228f2ac26

SHA1
27f359b9b5647dde766ac2258b85b9a702b2efe4

SHA256
6c6d0df48d7941f1c0970c4146ba6646717e6dd8ead0cf0eb076d6bee17b8a69

SHA512
e5d00a591f76b167099e53a52b545eace18f1e094f4b50dda7e3b04e33af8e71a8c85e468413f43d4207859bec660bdb28bc0e2880d843aca38789660299a1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKgcokEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUC.exe

Filesize
192KB

MD5
ed51b684b41ef0434f5f8d735a51a7ad

SHA1
edeb0b9b2adffeef557b302be3d1d3d37b0d7263

SHA256
9fd5fbcd0de7eea7e7d731ad401a4c6ba136310237874cc6ed29f39b9f5677c3

SHA512
67cda07304ede9264286f3ba542e2a2eb5f7cac9b5c03677a2645c7610dc5299670d712bcbdadd67cb0e223c0b3499d0396fc69e694b1756c735cb7a96dc5eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsUI.exe

Filesize
613KB

MD5
477deb887c559ade77e7f5e2191dc647

SHA1
25d7e86217976ef98d61c3989d5cd487048ea300

SHA256
089ad6edc3071686a1c82716f6c9ec6c2d4566dc3e1da2874805772faa1c96f8

SHA512
2260bd24ad5210367b2da52604cb2585462c3285d7dd145b7f68b609c848e629786878c85e1fafc9dadbcce71dd388472ffe11489599e06a19dcbe02c433531c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYUG.exe

Filesize
188KB

MD5
f12004b00183f9fecb5c9a2c0c04c5a1

SHA1
bf8a01327d488dd61014016691423e29cd8c6f9d

SHA256
023b237e502f5624102fdbe18d07ae60a33ac63702beabd68d528a2d5966d7b6

SHA512
21512ffe432cfd626ca15509eaa35e32e001199671ecaed89f23511f7eacf9022757cd37705f6a91138b95699b16a91cb488baa9f97f19b8f0e93dd88d06abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYYy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkwG.exe

Filesize
1.3MB

MD5
dce91ad33116261136667dc86855f027

SHA1
1a1cae93066323d464dc45530687927811b5f6c7

SHA256
b9a6ec00478e068e6ad085c20742f83e239b32a610020ae29f834889163896ad

SHA512
f5570ba9f1c2851eb22abf4c9bad607fb641dce223daecde2c6c8166891a8b5691d73e9104cbaacb55f4eec7171461beac58ae4b3f3b9234f563f2f26a284d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUgg.exe

Filesize
5.2MB

MD5
f3a863ba52e57035f28b76b987623ffe

SHA1
d8033633032a38c394aeee4b94e47e339e528015

SHA256
61278a5b9be467bb6d95493a024e5f0f4bb8c93d5c6499cb4d857697381ce065

SHA512
44757fa65434b019a1d2512b512b64bf65616b55c404a001d315e89c346b1f481d1c0015c48c5d28225636c86fe399219522bb90ec4725c478215afe7c7c29ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\akEQ.exe

Filesize
191KB

MD5
5f58079df633e8197b171d1b6bafcc0c

SHA1
411b21e931bc6f8b2240fbb17d75daa7f3f2805a

SHA256
6c70b6f8c316fcdf99bf5f5b1d73430e42128c47233dbfcccf77b2c6f9d37056

SHA512
5517fa6c763514463f818edeb526f46d8f31ae13cd180501650621002ccdafeff07999597b50f5d59088e230ae4c53b69b666f845fc8226a676107ef603858bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\asAI.exe

Filesize
204KB

MD5
8ce9d958195e0fcf0cbb5a3b31b771b5

SHA1
a88ea961c637351505d70113a4a64a9f1187af4f

SHA256
6b4410c034cd3b5c02b34f1d215106f16d19c06221c65ed61c4ede429783c825

SHA512
5cae174c1bdefa5ec9a40353a6729261a708588f94b3db1c8ea98b7022835cd931a76ab5be6bd977c282d2789263ea3f8caeb0d6f7aea4075a1967afe2b95618

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYQW.exe

Filesize
198KB

MD5
5f668eede9de12aeddd22350d830c4e2

SHA1
438e40383b6d7546d6cbce622b57d2dd34bcb01c

SHA256
f9d7ffda52dfa663fd004174cfb673a5d431b1c413422d8556a5b8ca56428796

SHA512
514e130124b2fc5521eccb32e251075544c27b64b99aee582ed011a8df7ca358eb710872dd3374dad18d35f70b53d503fdb400018f850b7c588b24e4b758b503

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqwwQcMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwUQ.exe

Filesize
324KB

MD5
75c448d186230ad0942f3c5fcf1cd866

SHA1
d1e40d717aa45d63b49e9f589cd2244b702ffdd9

SHA256
4fdd26bfece5cce09221f9b10a2fcdaab850a220f37eb72c0433e770764b4d80

SHA512
28af147484d6a8b8837a525aa8828858f07ef11ce3b8b9734ec1a34817680dc2d85981e6165bdac56c28709cfd6ceefa43dac95594a6675d9d309ae646449584

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYy.ico

Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogW.exe

Filesize
204KB

MD5
3915fe3fb5f6786b405b15969b25599f

SHA1
e3427af52efa37731d816b60347b725facb78582

SHA256
3692c3aaa3cf15645f820a1fc7967144e813ddc69e613e57eed27de6dff3fd80

SHA512
91ca9e8838cb5d5a562d2009748466bb484395797679becae5387fff0e44e2fba1dab983130e599a360b98208942bbe569bc1c4be31cf47a52256c5c9d87d613

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d7c65b0c09f3exeexeexeex

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcgW.exe

Filesize
197KB

MD5
81dcdf46510877b0758a29b317667292

SHA1
a86d03e2e69665f42f8c8ee27471a461da29eee1

SHA256
d1967c127906c528569955171afa783bf946af19f25081fc2c2d35174645c15f

SHA512
0665d2796c709f85f60dcfdb18e2e301af6c71e74b98911c4c157a0195dbb409ab0c5b6062c7cfbf3217c75ebd0cc53ce54944932474acf168b483c8c0d2a6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEEk.exe

Filesize
200KB

MD5
d42ad55cbd05bc50358b1f13f02fad99

SHA1
074e5bf21d3deca8575527e297f1645140257191

SHA256
f1ba2d778e033ed7c79a74075ffb84b95de400eb5c60da323f6f6ab08f2e1c2c

SHA512
bb929243bdc9ec2f5c1cfd7a963ac8be597b863ec5a9ba66b898b18aab3379fab91812ef9b46eb104bed396b078dedc2c27a6b6af06fbad570492d55555aa0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewQI.exe

Filesize
182KB

MD5
b30a327e11f0a4f72f4b2d7fd59e17e3

SHA1
6c0512fee6b4ae1bad7da5fb9b33fc7062591d1d

SHA256
cf9ae999f899b6a97172ed430fc612c9375902f7128a5948b81a67c07ad27359

SHA512
5662c8f8344daec4cba9e1868ce33a4dce5a88619078325f3dd080ae1788019a2261cc7134f95af3b84f3510b94cb330ff388e9b1453051b4f2c918f7af28aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcUc.exe

Filesize
204KB

MD5
5b61aba1df8e77f44d711383f1f29a07

SHA1
b1b131f7f3b45b6a0d2c4552e036e299bbf01a12

SHA256
e3763a98ec12aaa7c9ff4e3ba5e98d1dcf136cba42ccc22915586ac3ee5145da

SHA512
290e741dfb2534f03adc3ea1bc7caf32c05fd1abdb9277ab2f9f8316e7bcfd6b3e002ef73df1446dad65575adcf132881b17639aad68dc363d1d1ffc15ac1e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAEYcIso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAMA.exe

Filesize
649KB

MD5
deb8e20cabe3a3880585a8973e4853e2

SHA1
7924c5c6193e44f6aacc0b35aeb3295224eeb89b

SHA256
c4e8cda20e3ccc620faed589b6bd281611b0eff242e13472473ea614f82f6ac3

SHA512
1643a85de4cd566d4060dfbe8fc823e16b58020776ac5630cb2f9f8d87a32cfabd57e439d0b684f97f557a1bf196facab14caa1a45875c3b423ce6bf0667bf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwow.exe

Filesize
209KB

MD5
117e76c44d7de380792bfe39f502699f

SHA1
26b276bd852a1f31dbabff2de7f23e3532f5f6f4

SHA256
9c3c859b0d60701abd2c139067f11ba4254cd170e97e66630cf769d7708fe893

SHA512
10a12d600fc0400196446da9f46e7d6b720ac06ec137cc84a19b897baff2a58c8a702fbc80aac2ec206155322f920eefceaefb04eb05877b21ca5dc3cf02a6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAsW.ico

Filesize
4KB

MD5
c7fffc3e71c7197b5f9daaea510aac10

SHA1
23262fb8038c093ac32d6a34effbede5de5e880d

SHA256
71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865

SHA512
c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQY.exe

Filesize
193KB

MD5
509b98c526f341a01c14fd3c4443c22b

SHA1
cd991d9ee3276fc97409a550bde400e6d7f9d7ce

SHA256
dc0742ee462291cc93131418ee2425f8986d33bdb6378e41aa796f709fd62c74

SHA512
75de8514e287a1b491a8c3016698b063d09079f854c2127cc0cb635317908f1ffa805aedc2ab0b4e1bb34e99f41408c1402df498f6e2b9d143b3c9fade6bf0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcgU.exe

Filesize
186KB

MD5
f882ff3ec2849c01f968156e953c4ef8

SHA1
9a89ed9031bc079c6e296c9ae528ee243c3dc3bd

SHA256
c3184e192177dcb843786af1c5b6f0af89a64cced50f0ae81fe9aad815b56e59

SHA512
cc4884077f93c8c9d1da256bbca3981fed88b55ab42033a92bc49d347cc83187a9998e83d17797fa5b9d0b7a80c70df298708d0c9d38dea676125d26d2f43a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkYM.exe

Filesize
623KB

MD5
7fc1022e42aca6346b6a441d0e8e8b8e

SHA1
60c120945f27c4590f2b53b82b3ccff0cefb35a3

SHA256
18cd559ce1839963efe8b8b0bda262172d280ac11f34983b7434e56a0124048c

SHA512
c226195b27458503d21d8ad1f2ad0418a5f8755ab706f74455ccf77233a430282f84cdafd990ce3ba23d516e4d98b414dd3b5ed226fc98ef986edbbd7c403748

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOIccAQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcwO.exe

Filesize
756KB

MD5
169d6c1bd6510d5f4d5042901bd48704

SHA1
6072a898b108b45d74aea8bc026f769382ef9164

SHA256
b42161dc6e7f495b4ddb820d1d64d84948836115baf45f7020d37616fb867e5f

SHA512
dd68622ccdc7e065be15b65748df93b46e2cf6d5708768f2ba1a097d4264866564237cbdc3bb2c1b1c8909846f8d52ec7ac3b3403998a3998d13c62eeefd6510

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQUIMUQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\moAq.exe

Filesize
203KB

MD5
a1f7941779d51b698691f30cc6e16d56

SHA1
b6634adfa6aef5f07a0d8d9cb1a3755ab28dcdbe

SHA256
ab6eee06e932ec1b40f6284ff15d149694407256e77ba5703fdac751e97fddd8

SHA512
28b96c70cc395aa629be270123903b481af64328211e8935d65eefeaf31b9d55a98acd721d1ed85f94525c4c9b1c7e02deed1eaf0fc1fb6c9b9c6f4f7db5b6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mooi.exe

Filesize
198KB

MD5
acd5f62bc3a5347baee12869e8b12381

SHA1
57b549816ab51dc2be84928141e22017962bec2b

SHA256
3e7c4291972d89824779e0c5f45133e8516afbf13bcabd437c7e233e7a645a9f

SHA512
9b6b18ad17c65fac0c362beecec61c2d5a610f555368446b43896a83b77edb0406c386c6b59dcfd060fc17171abe6c2db34624452d6f0f61da4019bffd032b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQUA.exe

Filesize
192KB

MD5
fee1e7b5f5039e65ff66400729ed048b

SHA1
0f44099bd5deb65501d448bee808cb3c7e3b5ec8

SHA256
299641efe428c1f120acb792be87d97a19364ede4464c8bf517a9c05ee44f55e

SHA512
092af95001658e4e2719a6e52b1c4b260e21b63619bb4b01e4bdf7f289067f583ba7d6de13a16683c0f57455809681c1fe4f54dac4f75f66d83b3c1a1329ee27

Download Submit
C:\Users\Admin\AppData\Local\Temp\niEIsYgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUoUkcgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAsk.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYoG.exe

Filesize
235KB

MD5
964a77c3e2d17885c74b43fd85ae92f6

SHA1
690c328e89c00e7c26df128e2f46f2ece2999ae0

SHA256
4bba4bbea84aa4daf58385cd307550c738cf3eba4b407b2b6892ea0c0132073b

SHA512
0a19843867827891fe779b9de710cd02a5dfb366d862ccc3a91e2163985bac83d19534175c695df8a12e13b71b6f2dea8ea279681d5d66682142cf410504570e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkgoYUco.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\poUy.exe

Filesize
206KB

MD5
46f2ec9344e6defce9e50a53ee06ced8

SHA1
70797e0f99c9cfeb6c289512509b8c434b75d6c9

SHA256
d73d44dd08a15da046475aaaaf2fd94c380d52fc0f538cd03b5f0fc0fcecf06c

SHA512
ede53658b56ec4c3f0b19eba6eb001977e83062cecf7c3f50f6089a575cec17a2cd0a5c7f207018680dc4d1448e72ff7feac99bf63f524b209a5cde48f9ca27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\psMy.exe

Filesize
184KB

MD5
e27c9b1823969d13c273c1c6b9d01a14

SHA1
6867b84044e878cfb6cf4659cf2457491c44ecc0

SHA256
2d46aa5a9ad6585e82072a2fde6b67f8fdf7042ed5b319b9cc73899e317cb211

SHA512
1d74bb965ef352598ec7de12543d77e1c40bbfc6703ef1af73db9e9095369c66865ee42987accc8aeb6889319e91356bcf9939d1066aa6e0d9ba5077cfc2d3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCsckUcU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMEg.exe

Filesize
612KB

MD5
3b0453af6e4d7f47308d0ef074ac2741

SHA1
f5112b7b8b92a6b6f3bdc4133e31959e8e2266bd

SHA256
0e44d1278084ed0746314991eb83802fade4f1397428cf330d7bca8c5457c7d2

SHA512
747cab35f107d2782a25c83a9888016ba9f53584a5e0659d9c109a5670e0be7754c7e085ef89d12c95a5beb1b6e372c93f0a76f4052e8c1d0b1a37f64e5ea57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOkQwkMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAUu.exe

Filesize
508KB

MD5
7c519f577bd9669196a2ca1680af8d9d

SHA1
22aa08e8ccf03ada14a22e8b236638f4c36848fa

SHA256
bd1b990c3ab84f236515449c1f4ea37489206e320dd7b1f2ab984a752ab3521f

SHA512
475c0f990e38ee01cfe372e6f0451a4b52561a8c6bfc18e632031c25a0f4c8dc6743d691574d3ce0e9020f06e6c27795d7cf6c7143955f5702e5a86fa5947d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAsq.exe

Filesize
188KB

MD5
7a97de5c592853bf11aa71c9365fb27e

SHA1
96116f75f7a7994d83069b42f700cc9008676545

SHA256
8b07273d5c95532eb00ff9c27ed45aea0500abe3ce54a957d1a9c46045ce2e52

SHA512
0af8e5ae5f1bac1f385669941990add4cd1b961ba0c1ced968c7669c726b65b6a4a6a5bc3b2ba57bf68d92d9bbcee7a5c3bc94c668b9fc3226a8bee3915b09b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIco.exe

Filesize
199KB

MD5
5030f4eb27bfffa25db7d00aa1a35596

SHA1
1ef5cbd97790dfb53e291691be3dad36586eb37a

SHA256
1727903cc5e09d32a7be03deb4213829657206c269ef6d61aa1356a699398376

SHA512
679d68fc821caa8e763c535a9dd3c5e79b7ba1dc58a708ff8fa7548ea3549dc79bcae8d90ac44b025a8f5343c3fbd08cea8ff2ea28da79e33eb7ad84ffd3cb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkYO.exe

Filesize
199KB

MD5
1a30c143c84ff4d660ee492d8cb5ee45

SHA1
a76a1379a9021fda77571a056108bf83a4debcfb

SHA256
8b32a3be654bcdf3bb5f6a7f5c8fc490422cfda49f69e8fbc33b6d53c7d0c971

SHA512
3a52ed1d52e3ba56d74f512ff6bbc29bc667ffe1bf9e971b07f1fc707745716786b06cbcba776fc87c8eee5b9ff1bc7c76368333615ff134db0142997911637a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rowI.exe

Filesize
205KB

MD5
9d573e06183ef640db15af035d94ed98

SHA1
9e42d86e66e71d6e287a6539d3102fc56608b563

SHA256
03f345f5183518852d571065637d97da608d0ea34e38890c338a63c831051fd5

SHA512
fd2cf57e4bc894480a1826ec594862931464b80cd76a151ba6e2396540f063b37884d35e509ee5f127ab77ccd37f869d36d73be3b9b471b97e460b5d86445ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwwo.exe

Filesize
194KB

MD5
7f65499948a168ff85567391bd0faa60

SHA1
28a44967d558890352da442930c300414b6d5a74

SHA256
3e53baf53632c27540192f3e1f706ed784cb0912daef85e2717f0e2664627aaa

SHA512
9fcc6d6b08b70b87cc3546c21944dd9054b7bd08457da39b5755945e7153ce1aafe52c1154b84e856d84b0997de1e88b47ce791ff67ac345e3151cf52649966c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUwe.exe

Filesize
203KB

MD5
d7fbf88e3b9ad0b331f8ea9293880d17

SHA1
28da9de89892927a91773f727c30e7499d297ea9

SHA256
caccea5c18b2e71cb22696e2a785f15e37bc7aaba6c0de3d17fa2cbcea97a2ee

SHA512
2e41e9cb4773f1c9e9b96d36dabf967c189cbcae7aa98fd4d6731a90b5a3f4b29dfcde2171886e911b52516048cfd0621a1801ca9dcbb7b3919bce8796c8d3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQkG.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\uccM.exe

Filesize
206KB

MD5
919fdb88410060700ba3103dc4c21ce6

SHA1
d34460430c62a90861b74823cb6018d6699d11b7

SHA256
88f65038112a6df643425414f4cf99687c7104bace135f8c8e95192fdfcfc6b9

SHA512
d2cf92e99158372120ef14b4b8c309460ef6704f49debe4a1af919b722c9325ab9fe8ae995793272d1ffc0a57cefe09212f8964bae523505df0f7fc6cd5e4051

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAoY.exe

Filesize
484KB

MD5
5b1f904e38037e546916032ebe5ed4dd

SHA1
0f630a9c4e68df34adbd0dd469d0c390a7b63bdc

SHA256
442a74259955346d880f164db30c18bbf6040caf52318d0bb90aed61a6855366

SHA512
465a09a5d1d2bcd79b6b7f34ccc4860fb20e53d6f44f9da116b82fa67cd36cb30e258d51a4912115bb7409a356f44b66a6297b4e9fd4cf43b6bf34287766b5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcoa.exe

Filesize
1.0MB

MD5
5848277249ddca5e0678c11fe974a23d

SHA1
f70eb4e9b8cc9291c0a0a19a96937e30474c9200

SHA256
febee49d21ad79afcbaaab174a4fc022d3e3a041775059401c226e63ff8f2381

SHA512
0b32af5a28f372702c5dc469e3df6c8916d32129408f2155ceced0ebb0f728093c5213a36dc867b0280a8bb195790251fe21483c7b7fa32f6c93db1d44dbfbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgUm.exe

Filesize
200KB

MD5
e21789c114a5dfa3fc0daedeb98d21d6

SHA1
c906429cdbb6d6f90fb551393c6c9d27ac5e58fe

SHA256
b841e707bd3464ece9a0c4d29f37f2fff03e031e72b9644fc1ca655965d6d319

SHA512
c6b1e6558a2248b068eed5b64ed1c41dbbf707b3518dd03ccb66858c6178e0bfd2d1fc8b1f25f597167f61c7d7ea6cf718ef01ba3c0a703483712d9d099e1a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIYI.exe

Filesize
225KB

MD5
81d605fcb4c55b555c65f921c3f0c142

SHA1
856b2f0fbd2e645ae9266abff3e9b4212422fc14

SHA256
cedc9c114816c767391cb53b8aee33464c3deac2b4ac775dd7af36297889d667

SHA512
1eaa28b691c95fe72443787099c378b581e9373e928830b8ad7c34e3fef68094d97b94ce70058b092e3925f1ec8e76d82f6533b0a83d58b5803dff2cc8f511c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAIE.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAYS.exe

Filesize
194KB

MD5
0a53db78cdfb082d6c40b2757a87f725

SHA1
7fbcb53d214a58d90d99a32439d49d0a0fb390ba

SHA256
44f18f6b01f063a5704734c674bcbe5b40dfe265efde1fcbc6e5802b07ac600b

SHA512
dd0bcf636df00289579cd05c1945fc21521705d8d085672c24e029c0ccbd930c74cefed33b0b467fbc509c0ba8a08057bb01101eb9ca65f55e5880f087f39cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAwQ.exe

Filesize
222KB

MD5
b210dee21fee52ece7b36dbbb2694f18

SHA1
7dbb4e532477ef022e5fefc88f876637a4c714af

SHA256
c36f5031ca94a9b87b5580b39d587ed50acdf472b366e51a1ec0397018a98b89

SHA512
691532f54d22d268e76c7221e388b8ac1dfe30bdc223344fb543d651452c1a306dcc588b0771779c3f87ae8f8ecfe6af6e9d52dce6bd34ffb2b776a77f4b44b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAca.exe

Filesize
187KB

MD5
9d68276560cf2d77256f2806738c4534

SHA1
63af1bea2f77f697a88c30b3427d3e4f74c366f3

SHA256
7739d3ffa5fe09d04c3ca64cbc688aa2ba602acae876ae0473e2f75d0379d024

SHA512
c7f255c904245d28838442096583ea65e05e3d703f4b8b7956b9732ae93e0998c8df5abeec55282487e50efe4202edfe8f3bf3aab0bcd3e9adcc36499557961f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCsIowEo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcq.exe

Filesize
624KB

MD5
789ccb0627df22a56729f257af81ae89

SHA1
5530ea84930e0d84c254d729fd005c96c60aec3b

SHA256
38099c54ebbc3d6f0b922d60afb7c8d31cda954dd479b5f1f782c7ea31ce3fa9

SHA512
bcd1825c6e0b4515b7ac9cecdd19d5473e25e9e506245969d2b5109e4f12c11e5effac5faf62cd2c74e98597d4b20c736b9131e50d82c7e6a1f580f3db5f5a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zskM.exe

Filesize
211KB

MD5
1b20ad4b47873203d5b0e631590961b1

SHA1
f7eef1f168dbce4d35eb8a5c9b7ef439c2d6553a

SHA256
601e8a978a4ec7ebf0546eae480e383f7ec2987eb2763829c5717bece8f5b438

SHA512
5130a87cea060da021f74032f8d1505fc8c97a1e192dd4512a9ae98cf95f911f8d37b3a873418c9c60afb8e00e128c16f4ec546809f721375ab423a98da5bc1e

Download Submit
C:\Users\Admin\AppData\Roaming\UnregisterExpand.wma.exe

Filesize
844KB

MD5
b650c3c52f778a142c69258978c3a8cc

SHA1
3479d36ebb27e275db5dc9c0eddd900dbbbe4ff4

SHA256
8316da7bafcc11ac0947b5e64369743e09bfd64f327dcbc40f8c732986b37490

SHA512
15c62ba931ad1edacab0fa3e4508674ecb438c38a54fee20b8be8b26e183fe0bf137eef4ab2a9564878e52bdf16a13f2c87a367aa72907e910e411c4f92e3eb4

Download Submit
C:\Users\Admin\Music\ResetEnable.wma.exe

Filesize
524KB

MD5
4789f4ea0fbd993b145c9d74a59167b5

SHA1
3e35ce6f247c188a2cc87f542c47582e6c94dd03

SHA256
c788d610a564a5a6bcfc17351398ee73edd3cc7eedafeea4a16836d6e1dee701

SHA512
fafc908189c83bb55f223642359bf2aca280edeabf7434ce09d8b47b384cd52dff9086a0ee7e93751031d67437ae9312caed0b8dbc63df757b3be9f783f502a7

Download Submit
C:\Users\Admin\pYgEsYsU\UGcsYQMY.exe

Filesize
180KB

MD5
192cdaea7307b6e38e15db498c4b5eeb

SHA1
c3206d2da749e36ad34b0ef6bf6e9f6692fb7d11

SHA256
6572f6b44e21b615e4f50438afcd4c3c4303750ce9767339c18aa9e043981801

SHA512
80228be28b5a6b79e1ccb34d014f943943dcb9a69e41beab5002a3bf3a62b58d48d29a7d21144ada1c8853a2d3d20a027d8dc96877e20c87f371e1ee98c73c9c

Download Submit
C:\Users\Admin\pYgEsYsU\UGcsYQMY.exe

Filesize
180KB

MD5
192cdaea7307b6e38e15db498c4b5eeb

SHA1
c3206d2da749e36ad34b0ef6bf6e9f6692fb7d11

SHA256
6572f6b44e21b615e4f50438afcd4c3c4303750ce9767339c18aa9e043981801

SHA512
80228be28b5a6b79e1ccb34d014f943943dcb9a69e41beab5002a3bf3a62b58d48d29a7d21144ada1c8853a2d3d20a027d8dc96877e20c87f371e1ee98c73c9c

Download Submit
C:\Users\Admin\pYgEsYsU\UGcsYQMY.inf

Filesize
4B

MD5
bf6189fab9a4fdaa208685615135d935

SHA1
75a3a9c681f99944652c061d7ffe6f9ec2ac8f36

SHA256
676c44d85db796d997a6032a26b396a0ba4968a57d2587c72b2b588a5c5d5a36

SHA512
a7020c076b9f960af0c1a7a8508bb2fae59506aab0cf6b5861d9928b4168d595bb59b3337502bdd3983d71a8a24fc627b837d43d8e74bd0d53faf7288de4f18b

Download Submit
C:\Users\Admin\pYgEsYsU\UGcsYQMY.inf

Filesize
4B

MD5
ef45fc19e4ede0b50c6f41bcd1ce1206

SHA1
ed54105f7ac65b09f972b08036f60012d107f57a

SHA256
2462b0ac857d757f956e14621e9a4f60d837f722dd553165761bfb5ac3e77663

SHA512
bb9446c9d91f206270c6dbd6bd3d4debdab4ffc78a35a417a311a3cd595360a89a3c0225bfe1d2aff969c0d32782698137b0e75a3a42db43f3776b2a107e17c1

Download Submit
memory/464-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/668-454-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/752-560-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/752-570-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/824-473-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/924-309-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/936-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/936-150-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1068-427-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1516-600-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1524-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1552-559-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-459-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-463-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1808-358-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-636-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2052-384-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2144-347-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2152-551-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2184-397-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2184-516-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2184-401-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2360-213-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2360-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-436-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-429-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2744-249-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-313-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-321-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-628-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-618-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3132-489-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3252-411-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3352-543-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3424-508-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3424-498-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3472-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3640-608-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3656-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3656-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3688-446-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3716-578-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3812-589-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3828-277-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3828-285-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4040-374-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4040-362-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4120-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4184-238-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4184-235-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4188-333-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4312-529-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4312-533-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4464-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4480-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4524-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4588-616-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4632-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4684-419-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4740-481-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4792-524-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5012-164-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5048-392-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5104-497-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download