7bf3cda84dd48eb57d2f43c18d55c2ff80e96c559c977796be1a1a96eb555835

Analysis

max time kernel
40s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dc8bf19b8a78e_JC.exe
Size

217KB
MD5

6dc8bf19b8a78e62d212bf1d7139f0c8
SHA1

b1fd75b053f4b53bb7b5ea4cfad1790841e89c7d
SHA256

7bf3cda84dd48eb57d2f43c18d55c2ff80e96c559c977796be1a1a96eb555835
SHA512

11f947fa99f2e47fa5797db0bc2b8c0a7ff2162f43e03dea66874520f69a89f0e11409ae4f6361f16b5cf0a0f06088b26790f0253f42f745036c400331998d2f
SSDEEP

6144:T57HkdSE6gq6RkqcTVAnYkBNJcx0mwLN5eWxE6qbLP:B5E6NqcifncOpyIuL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 44 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 43 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mousocoreworker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6dc8bf19b8a78e_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	sEwAgoAA.exe
400	CgYkUUYo.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sEwAgoAA.exe = "C:\\Users\\Admin\\JcEIsUgw\\sEwAgoAA.exe"	6dc8bf19b8a78e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CgYkUUYo.exe = "C:\\ProgramData\\dcMUkgQY\\CgYkUUYo.exe"	6dc8bf19b8a78e_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sEwAgoAA.exe = "C:\\Users\\Admin\\JcEIsUgw\\sEwAgoAA.exe"	sEwAgoAA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CgYkUUYo.exe = "C:\\ProgramData\\dcMUkgQY\\CgYkUUYo.exe"	CgYkUUYo.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6dc8bf19b8a78e_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6dc8bf19b8a78e_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2196	reg.exe
4452	reg.exe
2736	reg.exe
1376	reg.exe
1784	reg.exe
4360	reg.exe
3900	reg.exe
3104	reg.exe
2184	reg.exe
3576	reg.exe
1780	reg.exe
4216	reg.exe
4300	reg.exe
388	reg.exe
2468	reg.exe
2700	reg.exe
2468	reg.exe
4072	reg.exe
4380	reg.exe
1892	reg.exe
2220	reg.exe
640	reg.exe
3576	reg.exe
1328	reg.exe
2544	reg.exe
3344	reg.exe
4292	reg.exe
1480	reg.exe
2720	reg.exe
5060	reg.exe
1052	reg.exe
2340	reg.exe
3736	reg.exe
2872	reg.exe
492	reg.exe
3224	reg.exe
4336	reg.exe
2556	reg.exe
3352	reg.exe
3488	reg.exe
4668	reg.exe
2932	reg.exe
3340	reg.exe
3268	reg.exe
4508	reg.exe
3800	reg.exe
2816	reg.exe
880	reg.exe
4480	reg.exe
1672	reg.exe
4992	reg.exe
1744	reg.exe
1820	reg.exe
2244	reg.exe
4396	reg.exe
1948	reg.exe
4260	reg.exe
5008	reg.exe
4800	reg.exe
4316	reg.exe
408	reg.exe
1612	reg.exe
2860	reg.exe
4336	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	6dc8bf19b8a78e_JC.exe
2064	6dc8bf19b8a78e_JC.exe
2064	6dc8bf19b8a78e_JC.exe
2064	6dc8bf19b8a78e_JC.exe
1888	6dc8bf19b8a78e_JC.exe
1888	6dc8bf19b8a78e_JC.exe
1888	6dc8bf19b8a78e_JC.exe
1888	6dc8bf19b8a78e_JC.exe
3880	6dc8bf19b8a78e_JC.exe
3880	6dc8bf19b8a78e_JC.exe
3880	6dc8bf19b8a78e_JC.exe
3880	6dc8bf19b8a78e_JC.exe
1704	6dc8bf19b8a78e_JC.exe
1704	6dc8bf19b8a78e_JC.exe
1704	6dc8bf19b8a78e_JC.exe
1704	6dc8bf19b8a78e_JC.exe
848	6dc8bf19b8a78e_JC.exe
848	6dc8bf19b8a78e_JC.exe
848	6dc8bf19b8a78e_JC.exe
848	6dc8bf19b8a78e_JC.exe
4712	6dc8bf19b8a78e_JC.exe
4712	6dc8bf19b8a78e_JC.exe
4712	6dc8bf19b8a78e_JC.exe
4712	6dc8bf19b8a78e_JC.exe
2764	6dc8bf19b8a78e_JC.exe
2764	6dc8bf19b8a78e_JC.exe
2764	6dc8bf19b8a78e_JC.exe
2764	6dc8bf19b8a78e_JC.exe
1428	6dc8bf19b8a78e_JC.exe
1428	6dc8bf19b8a78e_JC.exe
1428	6dc8bf19b8a78e_JC.exe
1428	6dc8bf19b8a78e_JC.exe
3776	6dc8bf19b8a78e_JC.exe
3776	6dc8bf19b8a78e_JC.exe
3776	6dc8bf19b8a78e_JC.exe
3776	6dc8bf19b8a78e_JC.exe
1632	6dc8bf19b8a78e_JC.exe
1632	6dc8bf19b8a78e_JC.exe
1632	6dc8bf19b8a78e_JC.exe
1632	6dc8bf19b8a78e_JC.exe
2944	6dc8bf19b8a78e_JC.exe
2944	6dc8bf19b8a78e_JC.exe
2944	6dc8bf19b8a78e_JC.exe
2944	6dc8bf19b8a78e_JC.exe
5088	Conhost.exe
5088	Conhost.exe
5088	Conhost.exe
5088	Conhost.exe
4684	Conhost.exe
4684	Conhost.exe
4684	Conhost.exe
4684	Conhost.exe
4448	6dc8bf19b8a78e_JC.exe
4448	6dc8bf19b8a78e_JC.exe
4448	6dc8bf19b8a78e_JC.exe
4448	6dc8bf19b8a78e_JC.exe
1124	Conhost.exe
1124	Conhost.exe
1124	Conhost.exe
1124	Conhost.exe
2004	reg.exe
2004	reg.exe
2004	reg.exe
2004	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2752	2064	6dc8bf19b8a78e_JC.exe	85
PID 2064 wrote to memory of 2752	2064	6dc8bf19b8a78e_JC.exe	85
PID 2064 wrote to memory of 2752	2064	6dc8bf19b8a78e_JC.exe	85
PID 2064 wrote to memory of 400	2064	6dc8bf19b8a78e_JC.exe	86
PID 2064 wrote to memory of 400	2064	6dc8bf19b8a78e_JC.exe	86
PID 2064 wrote to memory of 400	2064	6dc8bf19b8a78e_JC.exe	86
PID 2064 wrote to memory of 3564	2064	6dc8bf19b8a78e_JC.exe	87
PID 2064 wrote to memory of 3564	2064	6dc8bf19b8a78e_JC.exe	87
PID 2064 wrote to memory of 3564	2064	6dc8bf19b8a78e_JC.exe	87
PID 2064 wrote to memory of 1744	2064	6dc8bf19b8a78e_JC.exe	89
PID 2064 wrote to memory of 1744	2064	6dc8bf19b8a78e_JC.exe	89
PID 2064 wrote to memory of 1744	2064	6dc8bf19b8a78e_JC.exe	89
PID 2064 wrote to memory of 2556	2064	6dc8bf19b8a78e_JC.exe	90
PID 2064 wrote to memory of 2556	2064	6dc8bf19b8a78e_JC.exe	90
PID 2064 wrote to memory of 2556	2064	6dc8bf19b8a78e_JC.exe	90
PID 2064 wrote to memory of 4216	2064	6dc8bf19b8a78e_JC.exe	91
PID 2064 wrote to memory of 4216	2064	6dc8bf19b8a78e_JC.exe	91
PID 2064 wrote to memory of 4216	2064	6dc8bf19b8a78e_JC.exe	91
PID 2064 wrote to memory of 1504	2064	6dc8bf19b8a78e_JC.exe	92
PID 2064 wrote to memory of 1504	2064	6dc8bf19b8a78e_JC.exe	92
PID 2064 wrote to memory of 1504	2064	6dc8bf19b8a78e_JC.exe	92
PID 3564 wrote to memory of 1888	3564	cmd.exe	97
PID 3564 wrote to memory of 1888	3564	cmd.exe	97
PID 3564 wrote to memory of 1888	3564	cmd.exe	97
PID 1504 wrote to memory of 2712	1504	cmd.exe	98
PID 1504 wrote to memory of 2712	1504	cmd.exe	98
PID 1504 wrote to memory of 2712	1504	cmd.exe	98
PID 1888 wrote to memory of 232	1888	6dc8bf19b8a78e_JC.exe	99
PID 1888 wrote to memory of 232	1888	6dc8bf19b8a78e_JC.exe	99
PID 1888 wrote to memory of 232	1888	6dc8bf19b8a78e_JC.exe	99
PID 1888 wrote to memory of 4292	1888	6dc8bf19b8a78e_JC.exe	101
PID 1888 wrote to memory of 4292	1888	6dc8bf19b8a78e_JC.exe	101
PID 1888 wrote to memory of 4292	1888	6dc8bf19b8a78e_JC.exe	101
PID 1888 wrote to memory of 3268	1888	6dc8bf19b8a78e_JC.exe	102
PID 1888 wrote to memory of 3268	1888	6dc8bf19b8a78e_JC.exe	102
PID 1888 wrote to memory of 3268	1888	6dc8bf19b8a78e_JC.exe	102
PID 1888 wrote to memory of 4976	1888	6dc8bf19b8a78e_JC.exe	105
PID 1888 wrote to memory of 4976	1888	6dc8bf19b8a78e_JC.exe	105
PID 1888 wrote to memory of 4976	1888	6dc8bf19b8a78e_JC.exe	105
PID 1888 wrote to memory of 1272	1888	6dc8bf19b8a78e_JC.exe	103
PID 1888 wrote to memory of 1272	1888	6dc8bf19b8a78e_JC.exe	103
PID 1888 wrote to memory of 1272	1888	6dc8bf19b8a78e_JC.exe	103
PID 1272 wrote to memory of 4648	1272	cmd.exe	109
PID 1272 wrote to memory of 4648	1272	cmd.exe	109
PID 1272 wrote to memory of 4648	1272	cmd.exe	109
PID 232 wrote to memory of 3880	232	cmd.exe	110
PID 232 wrote to memory of 3880	232	cmd.exe	110
PID 232 wrote to memory of 3880	232	cmd.exe	110
PID 3880 wrote to memory of 4548	3880	6dc8bf19b8a78e_JC.exe	111
PID 3880 wrote to memory of 4548	3880	6dc8bf19b8a78e_JC.exe	111
PID 3880 wrote to memory of 4548	3880	6dc8bf19b8a78e_JC.exe	111
PID 3880 wrote to memory of 4028	3880	6dc8bf19b8a78e_JC.exe	113
PID 3880 wrote to memory of 4028	3880	6dc8bf19b8a78e_JC.exe	113
PID 3880 wrote to memory of 4028	3880	6dc8bf19b8a78e_JC.exe	113
PID 3880 wrote to memory of 3344	3880	6dc8bf19b8a78e_JC.exe	114
PID 3880 wrote to memory of 3344	3880	6dc8bf19b8a78e_JC.exe	114
PID 3880 wrote to memory of 3344	3880	6dc8bf19b8a78e_JC.exe	114
PID 3880 wrote to memory of 4512	3880	6dc8bf19b8a78e_JC.exe	115
PID 3880 wrote to memory of 4512	3880	6dc8bf19b8a78e_JC.exe	115
PID 3880 wrote to memory of 4512	3880	6dc8bf19b8a78e_JC.exe	115
PID 3880 wrote to memory of 4032	3880	6dc8bf19b8a78e_JC.exe	116
PID 3880 wrote to memory of 4032	3880	6dc8bf19b8a78e_JC.exe	116
PID 3880 wrote to memory of 4032	3880	6dc8bf19b8a78e_JC.exe	116
PID 4548 wrote to memory of 1704	4548	cmd.exe	121

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6dc8bf19b8a78e_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6dc8bf19b8a78e_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\JcEIsUgw\sEwAgoAA.exe
  "C:\Users\Admin\JcEIsUgw\sEwAgoAA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2752
- C:\ProgramData\dcMUkgQY\CgYkUUYo.exe
  "C:\ProgramData\dcMUkgQY\CgYkUUYo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
    C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        8⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        10⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        12⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        14⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        16⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        18⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        20⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        22⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        23⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        24⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        25⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        26⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        28⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        29⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        30⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        31⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        32⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        33⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        34⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        35⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        36⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        37⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        38⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        39⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        40⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        41⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        42⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        43⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        44⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        45⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        46⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        47⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        48⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        49⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        50⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        51⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        52⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        53⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        54⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        55⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        56⤵
        
        PID:4264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        57⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        58⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        59⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        60⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        61⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        62⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        63⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        64⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        65⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        66⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        67⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        68⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        69⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        70⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        71⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        72⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        73⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        74⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        75⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        76⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        77⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        78⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        79⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        80⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        81⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        82⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        83⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        84⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        85⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        86⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        87⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        88⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        89⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        90⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        91⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        92⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        93⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        94⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        95⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        96⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        97⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        98⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        99⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        100⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        101⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        102⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        103⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        104⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        105⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        106⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        107⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        108⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        109⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        110⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        111⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        112⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        113⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        114⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        115⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        116⤵
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        117⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        118⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        119⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        120⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        121⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        122⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        123⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        124⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        125⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        126⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        127⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        128⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        129⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        130⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        131⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        132⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        133⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        134⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        135⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        136⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        137⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        138⤵
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        139⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        140⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        141⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        142⤵
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        UAC bypass
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        143⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        144⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        145⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        146⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        147⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        148⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        149⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        151⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        152⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        153⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        154⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        155⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        156⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        157⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        158⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        159⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        160⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        161⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        162⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        163⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        164⤵
        
        PID:388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        165⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        166⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        167⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        168⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        169⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        170⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        171⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        172⤵
        
        PID:3476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        173⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        174⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        175⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        176⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        177⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        178⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        179⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        180⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        181⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        182⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        183⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        184⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        185⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        186⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        187⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        188⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        189⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        190⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        191⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        192⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        193⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        194⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        195⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        196⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        197⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC"
        198⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC
        199⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGgcksYA.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        198⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKgAQMow.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        196⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuYYIQks.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        194⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMwwYkYY.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        192⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSoUEwsY.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        190⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boIgUcso.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        188⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgcQQoQM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        186⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCkcYgsM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        184⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKIwccUs.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        182⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqAosQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        180⤵
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIYcQoII.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        178⤵
        
        PID:3880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYQYAoAI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        176⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIEQowAI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        174⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsAsgMcM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        172⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyMggQog.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        170⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAgQosIw.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        168⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWQkIIAs.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        166⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMIQIUoE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        164⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuAEgIIE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        162⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYooowQU.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        160⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqwIksQE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        158⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWQsYccs.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        156⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwQsowUM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        154⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWMwscYI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        152⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAYooYks.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        150⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsQQYQgI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        148⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYsQIwgY.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        146⤵
        
        PID:1920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCQIgQMI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        144⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        UAC bypass
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOMMAQoE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        142⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saoYMAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        140⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vycgggII.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        138⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAoskgYo.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        136⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoYookEI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        134⤵
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeUsIUwo.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        132⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcQEUcAM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        130⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsMQcAsU.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        128⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgAwAgIg.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        126⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:4992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCcMssQk.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        124⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKUQQkws.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        122⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gekoIwMw.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        120⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkMIgAMI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        118⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgssMIss.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okUgosgY.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        114⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        UAC bypass
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCkoMIQg.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        112⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsoMQUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        110⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsYQwcMk.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        108⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeEQgggs.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        106⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEssYsso.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        104⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYMgYgoE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEssMAoE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        100⤵
        
        PID:1704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWgcoEkM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        98⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCMQAAQo.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        96⤵
        
        PID:1164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lmokcwso.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        94⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMkUUsE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        92⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyYMwoUk.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        90⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miAQAIUc.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        88⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaYcwEks.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        86⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeEUsEYY.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        84⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        UAC bypass
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWwQAkYw.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        82⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies registry key
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eigwswQU.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        80⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmAMMcwc.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        78⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOggEAIM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        76⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYMQwsgs.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        74⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        UAC bypass
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqAUMMIg.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        72⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISQEQccE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        70⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQgsUYsA.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        68⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIMkUkQE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAQAIcYo.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:32
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkckkoQg.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        62⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOIggAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        60⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyAYocAQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        58⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcIgQMoI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        56⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWYIkgUk.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        54⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        UAC bypass
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmEkAMws.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        52⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCIEskwo.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        50⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        UAC bypass
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMEkIQw.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        48⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgskYMYo.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        46⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuocgkUc.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        44⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCYMcgsk.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        42⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUgccsQI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        40⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgsoAsIE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        38⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XskcIgoU.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        36⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vagksYgM.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        34⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOAwsQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        32⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgMQEUEU.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        30⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgwgMggs.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        28⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOcwwQwc.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        26⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUMAYkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        24⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOUMEYkc.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        22⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEcYkssw.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        20⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWkMAQUk.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        18⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSgIMkkQ.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        16⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqQgIcUI.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        14⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGQQkcoA.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        12⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PysckMkc.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        10⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QycIoQIk.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        8⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:568
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3344
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWIkIoAc.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
        6⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4292
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcQkMAcE.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4648
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4528
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2556
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgooMMoo.bat" "C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- UAC bypass
PID:2536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
792KB

MD5
a94ce98e44b57eb9c6fb09c0074605ee

SHA1
ab0d2c3249b5e170c9d1bc95f94fa8abad8a4b2f

SHA256
96a1a3e1e068ad2091890e7b9a8bb2741f19679e1db766c9be01c8374785df58

SHA512
e7bd22bb418bf39872e3b9a13b529a261e191fff78807ca6553a7be5e63b075a37896e403f0f8a564e5888565f87ad6aabaeed80a862cc9fe6626f98aa8b9c0b

Download Submit
C:\ProgramData\dcMUkgQY\CgYkUUYo.exe

Filesize
190KB

MD5
c3d2b8e2c7b3346f6d614b048ae327d6

SHA1
781eb1bfaa1325e244b05f61e1c89b2a247df6ec

SHA256
aa484b60c4fb45e4ccfb39d2d6ae22b78c4d1aa6839010f8ad2ea8d858d2534e

SHA512
52d6942b23535046ab1b68e1ccefd5606d280860bd724b5d9590813127478cdc7c3e1fc34a094e48df484fe919be637acd06ef06d8dbc531abeab44985473dc3

Download Submit
C:\ProgramData\dcMUkgQY\CgYkUUYo.exe

Filesize
190KB

MD5
c3d2b8e2c7b3346f6d614b048ae327d6

SHA1
781eb1bfaa1325e244b05f61e1c89b2a247df6ec

SHA256
aa484b60c4fb45e4ccfb39d2d6ae22b78c4d1aa6839010f8ad2ea8d858d2534e

SHA512
52d6942b23535046ab1b68e1ccefd5606d280860bd724b5d9590813127478cdc7c3e1fc34a094e48df484fe919be637acd06ef06d8dbc531abeab44985473dc3

Download Submit
C:\ProgramData\dcMUkgQY\CgYkUUYo.inf

Filesize
4B

MD5
f3881527b7644263344db16ea7fcc710

SHA1
13daa9a49c1bb57fdc5d2692ac0718d1a456130f

SHA256
c6b535ddb99d4f8ed4cf1e3b337849337f7794506e6e0d9e5d8b797e3a1c8851

SHA512
c324e1ab65a5c570988c5b252de442ad10bb18f1e7a5e754966ad94c6f339290da1238015f99913e4c99f248c535f2709316557589aeab95e00c44a1a54ac1c9

Download Submit
C:\ProgramData\dcMUkgQY\CgYkUUYo.inf

Filesize
4B

MD5
bb7180df168cbeb06ccac4b1208d6a7e

SHA1
9a9db79fe006cc115e16389cba6eff33789ea72f

SHA256
5ca9aa5f57bca1c9c4d6081aaf6581b51fd8d89b6fc73cfb386bb16d7f838552

SHA512
11a891f707bedf4656e887af1fbf9c74f9ff661ce3f682108551a0a18dd910954a580dc0ff21e7c53a99789ee24928b94c0c6398cdc6283007a39909d8468895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
196KB

MD5
40770f0337da7b33b73a09df25bb5c95

SHA1
1d6c133099ad43e60f365f4bd9a64770bc087404

SHA256
3cfc694b928d1fdcea5cb5226dd623bb201fc52b931a61a90f410d2d2cf64180

SHA512
c01ac11cb5f0acf244b5abca49033b763f8e2a21b93209fce7ff634c3b6c9c31402ee83e8dfd6b47eb5c3a5cecb365ea946c1ac5783c06d2c936e56c72293ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
198KB

MD5
9ebdce6dca3fd55881cc9de104f49a65

SHA1
fde60697dd55363d6e321064bcabcff15ae99b04

SHA256
eeba4dbdffa9eebf8a72f61aa86a6871adb618e126dbb83a4469c2097cd68556

SHA512
8449ebe4a85c3f3c8efb0d2a80901131ba6c8455f4275e7e3bcbc79ad2813063d070f60ecfdec206ad37200d54e4262d7687c344f9703cf5805e8f577ebcf728

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc8bf19b8a78e_JC

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYwq.exe

Filesize
628KB

MD5
eddd2bfe7a6ca37e00656ab2b2335d51

SHA1
0644d4b0d8da35daa8aed79e0430529ec138c1d0

SHA256
1938a74b0fd6a53416ca2cab77e66e8f90d9cc8a46e07a5054731aa9aa525326

SHA512
3c7fcf5bf9243a50d2ded10863b48ff823a7aa491ec7501ffc26aaf9edb6ae187e1f2b3915a0cb11ebabc3710d4256245f06d157111c8a5fa0484b41eb76704e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAoy.exe

Filesize
641KB

MD5
5e07f1f96722c3927b1b8abbcea4368a

SHA1
c2aa32fa76b15b81fb774d7a94a8f7b366a3c461

SHA256
6b1178e68881eb612985ebb26c439661393f08982c40438c35d1b3e6cd8bfacf

SHA512
a4933ac7231e9a92d977c413c92936ba34f4774161165a792f2dca9a4624dd5e668b7954049f4de1cf19c50f51501eb93b7decd7e10fa6528531f6346f7b20f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEsG.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUYA.exe

Filesize
200KB

MD5
f19f2fb5752062f17ac9cb36fac3c24f

SHA1
dcf95c124cd4d37f452fbc1b9c3f2fd08575c502

SHA256
a98d6efb6330d9ba58c70193b3a88d206e3549c20d5de8ba05cc27c43b162f43

SHA512
51198927ffaae96d58ffacfa0de02da3587f434d1a71f2b5b2514fe86ffe26e7a8fabc8cf33061900d0194646114808c03ad5b36e978de71433d1e174b02839f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEMi.exe

Filesize
182KB

MD5
57e895b06518dea71e7362f37f0a7a7b

SHA1
92c14cbd19e3174398fe1e745a06da83d7d14371

SHA256
43af9b73cadbab95c08cd255b035c02cb66c8c702a425b08b31762e8dea19acb

SHA512
d900dc00371b2a6633fc9b65af1a45352ed5b41ad7efbf03ad4b6aed244583b2fe04f8f666c12ac75d4d48a964b7c8f2b2c0c68fba9e2ed9f09aee80a643ee56

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYku.exe

Filesize
5.2MB

MD5
b7416e2f49504facb9d80e36adf0ac70

SHA1
7359682c43d69ae2d48bfaea4a40504490942bf6

SHA256
1f071097b4c35b86e9c967a0660e8a2feb6571f472549965a412b398c704aac3

SHA512
fa40a206357c12b27b1509235ed0ea5e679ac233556f15b4409fd35341facc873840c9f60b1eed2995327607900282c69334d2d06c7c158deb6d76c27a43f37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CckC.exe

Filesize
198KB

MD5
debf56ca1cd9457fe311a41a83a74757

SHA1
5f568abda02931c8ce8ca42304dd8c0c0349b99d

SHA256
e651b53c1a53a683a625ec4f1982ba3235a4539ea544db3e79cb9afe90d655ee

SHA512
572602ccad2ec9ea56d64db3cd938206420c4f1c94121ec74a55ad07be100db704185b00f574544f219f0013d5ccf9ebacae12b64141e93f107d1238d3204ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgwC.exe

Filesize
819KB

MD5
a12a4a0557fdca3fe63dea369cc79bbb

SHA1
15f8a0a10222c448d62d5004254dcdc57a5d5e88

SHA256
9bb1c6f4b8bbbeec189fca801d9854f39ec8656bca02536be262abf9e7fe96b8

SHA512
d20e667974af3c9a9b0f47436277c8cdde6c42a6678c522f439b3587f3c1e770e171ae3a72c709c37c28862cae1d8285db78b51123a477378772db2e659cba17

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqQgIcUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMUA.exe

Filesize
207KB

MD5
a5767eb2aa395dc44dbf82a9dabf9d42

SHA1
3f4c654a36c512a6e9ce53be778120610e02d95c

SHA256
1032cad704b5bc52ca64b135e20ceaf8774a6f9fa622dadb95b47c5cee763d70

SHA512
c1e7e732e430959084a1457e753fc911d16f9a2d402d0ff21c45b5db74448613ccc651cce2f61e8ae944ad2d4cef8c4ec273e22ede822c76be2b64ab55fae9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoEQ.exe

Filesize
198KB

MD5
94f0956011b7c73de5136a43c9137f0b

SHA1
82a9e5c9ce1b34f39510c9230e5c81cbbaffd41a

SHA256
9853072fe1e9d82e2110c45c568340049ae04c87a3ae0c533700824e1c095eb3

SHA512
69adfd50999a973a7033bb80cd57cd1bf36b908ff7b69cf5f4c233df53e3f47fe1afc5335804ef8b2ad9779a4ec68489077bc3700dbc580a066f3fbc5f46837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQIc.exe

Filesize
205KB

MD5
d8a5bff05b4f2395b76c5d83c16cf284

SHA1
548ccb7841baa82e07c7e76c5819a09760923be3

SHA256
f8ef8f391b61924492eac6e9262ea77f3cd809d8d816ecebf15b03808d104d5a

SHA512
a2f9ced979449ac7aa370139e3b729c189a385eedbe84781a91788b985ba1725e38f3086eb2cca7c9ce4eb85f5038ffe894d7e87fb6233d811c2e28382f34ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWIkIoAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWIkIoAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgsoAsIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMAk.exe

Filesize
381KB

MD5
8eabf79073b720b6b40d52154d63f1c7

SHA1
7f06eebed7836ecefc305b1d65b67882d60ecfe4

SHA256
ade440598cd38001f98a63a472271af805a155c865318a749ff4812f7a751656

SHA512
be8d390e221b3b5cdefb00142a924d2c5c3eb9bb1fd6cb2cb387d964ed8bd84288fcc3dffd5f49aa884cae3db6a9fcb0d3ea81542632ed5c15922d0ceae67916

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgooMMoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMMW.exe

Filesize
198KB

MD5
aa8171c12c2582c387b023020e92d65d

SHA1
f7d537914200e03e7ba955f445ad1984763f6a21

SHA256
87ddf5a24d92fdde2a66d7354f844ed3e792773f7db1aab56cfae4d8f5cf7e47

SHA512
3ddc3d3ca4c25f60c9a96a4f10a6121e59aa74beabef0956a3ba1c6f5e0466230fd9121e4ee33768441400f92d68ff8a1969be22c0b3710703f50d19bd649be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOAwsQkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hkcw.exe

Filesize
206KB

MD5
19f9502c6b153d57ec22dbd89445ee9b

SHA1
dae598a475ed40ba6196a3bb3d815db27a43ef78

SHA256
e25252f78cc185972aefac32eb8e26a95f119eba30c887933eb9d1f4a6541d7d

SHA512
31ecd56f7532a10e80ad224d9766fb32ff2a5d3dc4efcb5c5258e435e5d475f49876f3569748e8c50f7f744e6a2a6e0bd7abca15f6ea9da3fe9e94af91128390

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEoe.exe

Filesize
212KB

MD5
00f8976e2ce447dcf2f238448800dde8

SHA1
2b9e1b966693142d15130d40f05a90df21cc3028

SHA256
b012244f1b295b6bfc2b595e8d9569f7b4af6e39fc623c64fae789786f0c3fc6

SHA512
a4376e048b262a9a339bb3ae6085d2e3e463be188ad046f0d6cfa6eccaa90576075214680bef67cbe83d8fe5ba07c63df7b0531d50446a10912f46b1f81f9faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGQQkcoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQAK.exe

Filesize
198KB

MD5
1681b51d0089b541604b2b1c00666d57

SHA1
bc64ebc81e2f77daba8847e64516d9ae78e29e38

SHA256
f3b9335f4ceb762a23af3c50a9daefa8e0e83a69abd77d776b5deb0edc90fcaa

SHA512
ecdb7d78e6bbe71be15f959853390302b6927d06a7d0fa8ea94ac24421f45f9747972446b94d13e62bdd126ed1af5d4c3068b605a9f6eaa61e8bb4ae4c34becc

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQUU.exe

Filesize
195KB

MD5
88bb55c3e24336e9fd42bf15a9509875

SHA1
f96c7b46126f0d967763ac762b46f00c3234ccf7

SHA256
74cb9bd4f33aeb5a20f7675a7e334d538597ad17b98e058c190d25da2f0557f6

SHA512
1b6aaeb9092661ce12fdc88108871ff20f7d4bab07d85f1f2d615af70e07e517f6c88a8f11fc8049391b01f19d0e319df083fed653d71f500ad177fa16d040dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYEi.exe

Filesize
204KB

MD5
443ca8bc51dd7e7ae5f55c7ec21dcff8

SHA1
e3888d491bf4ec6aa13641df0485c2aa955c49b1

SHA256
9ce486f641791732ed43ab8edbf4a10746e28044db421c948d5a0839cdcb4f01

SHA512
0237186932603fc132a8662624cbc7669d79bfdac1f456d0aa546f09a46c5f25937877e15949047e66beefaac14e0b15cd0eb4fc563858d529634855c50d7f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsEU.exe

Filesize
200KB

MD5
fcf7b4d59325463e4881c2f89dcaf055

SHA1
28cb03a1752dc813c0f5203ded0be61064959e7c

SHA256
abfee7ee9db0d8053167b02723b561deac7e95d4a2a779ac5d233e4ace35e486

SHA512
a52c4dbf952b12ebb17d5f0899b6f53fe9d57255c3a9639039575498a3ac688be8c7666b8573bd5c939ae908c53d5d76f93958cf4a87012a718af2b378f55954

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEEI.exe

Filesize
191KB

MD5
76d60c6d97ecfada718521d9fffeae2d

SHA1
d354ed801dd851c3e87067bf2f29d5afdf0915ac

SHA256
0f34e94f42eee66c5e55022bde72a63b8bd03c6a7e1d5ffc90f2ff886c80dfff

SHA512
9ebda01a421be45f5f7ec89c6352005ae6a1cd2464f2494c847cc7db17ba5fb6dd0f73fb476f56729fbc47bf1f59cb5884e08d55b6a981e71965dd7a07f26d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEEi.exe

Filesize
195KB

MD5
58b17e0b8bc9ce944c07d51bcde93f8e

SHA1
2998efb89c3b7393aa0b405285ad589eeb0ed4d8

SHA256
a40d407a09efee9b4dd5db545228f41bd7020269b3a14ea3b1b2576d607f873c

SHA512
b83ef5e05a08346aa4c400032038d8c2b59d79163e5d4cc4cc252d5972a1a719e1736bfcae214c2c9bb9be9d24ac833b074a4b27185946eb9f3497b450590500

Download Submit
C:\Users\Admin\AppData\Local\Temp\McIC.exe

Filesize
309KB

MD5
d72c493db362220ca87f1fcbef0b2f60

SHA1
97f2f0c64d07a09fc0cdb49bd4673a8dba344cc6

SHA256
45905d44c513e9baf63eadb314c46d740d6858163b5edf956523c75636b6436f

SHA512
2dadbfa99d7f3477902f531e4dca5d226ecc9559088b51a27c46bd1f1a9cbe5ab738a37b37957b1deb7591584fd92c1381d16d38e7367ff02f602d5c5aab614c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMEy.exe

Filesize
317KB

MD5
d1bf9497861e4bd5e474bd633fb13e6d

SHA1
ef518093def2ec1d2eccf7661dbfad623decb16b

SHA256
8d44dcb46c2025d55f281f8c136ae166716a21db55ade6e8b214bd4c7addfb7f

SHA512
f96f581800a3ed6a4d3d7f8741c23dbfb97e25b01f3afcaa02a55ab12c369780970c9d580c4359a42bb71d8aae297e803dd6f03e07fe0ee95afb43b510c8552d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMEQ.exe

Filesize
188KB

MD5
268a35f92663993e2330b19ab9488a55

SHA1
b2ba9830a976e7227d2412a3a46e98768d5e226d

SHA256
fa9425644062686d5da0411198f36757d967d2d3911e9d87c682ffbbca3ca01a

SHA512
ed6c6d538f70ce8b28cdfc356a7b10fa5c588e54c9668207f8345783761ddba7a26d66f93cdbdc27ecfa0f44d3b3288e2c1a26bcf2e40a540755a13e30e40cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PysckMkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QycIoQIk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQYw.exe

Filesize
200KB

MD5
dd2c8684e8df60254d54e8681781135d

SHA1
c134d314176b19720ff8eca15464013d7883937c

SHA256
47c660344ff3057aebad1b3e0b8e1ee1fa285e704afcf731c61c3962af537a42

SHA512
ed0b6d03c99ae96ed75331c64d882004aad0995f897cf26e82c13d4540986158c5dcbcc27d4fbaa21549eee1d1c450675c4553f1f8dfb4133fc559d749bc8d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkQg.exe

Filesize
575KB

MD5
44997000037099c5f4b8f89b0a432423

SHA1
09826051175bb5407cfbd99bcd210e47deeff797

SHA256
2e8ccdc83110871b76cb260652a4c71d7d68a1b59190f5a696f0046ad8c6407e

SHA512
840c323de863fda2a4436edc6fd3cdbfe49b434f8c9eac6b8636b36f16e28b509cf273f97467771ae3b01bbdcdb88e2efab7438e2955eb8b73f05bab2b1ab730

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIQS.exe

Filesize
218KB

MD5
e98cfec8acbb4777832f359b57572959

SHA1
6a417f8389a55954c8a63aff34a44c50bab0831f

SHA256
36fd7c376b879a4fb3c642c2f53d18464a0caf10a71169a75819f4609d31e32d

SHA512
6e231416230ec5ed12e753560df724313d70c5a544ba62034df970e95e3aacfc55875fc9c174dc3747c9974bdea9cdf70b1f952a309fa3fb9daeb4644fc8a8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScQM.exe

Filesize
192KB

MD5
37d0e90f8fe89f2c35124a1ce24eb9d5

SHA1
09ca89ebf03e602be9889e7bb16488c745a36699

SHA256
177eae11ac0391f51d17bad5ba4e0513fdb93b93bc66ff5b9460eb54aa73706f

SHA512
ae0aebd8e0001466d3416e064b22320c832ccfa3d5d6a1a62119068ac29f3caf492ffdd0d2934666f930814646a6aeb1f2d5de0b26c0fd44f46e9f9973bb8a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgUw.exe

Filesize
210KB

MD5
f324819bee64a07672cdbb0f63bad127

SHA1
f1635378f1af223d0a861c3ddc268a6d149140eb

SHA256
ca5e0a07b3fd75162abb38122f8ecb975d6c4ac68a0c7d34f9d9ba6a8842bd00

SHA512
245dbce885315b470c83c1b129fa7fbdaffb8c9852bba72f208d2fb2ee9071a3e17c93f0623aa4f8a1a62dcb63238473d321c7a21864d04b6659334f7b754b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsAI.exe

Filesize
185KB

MD5
c1b6681387ffa2588690f3c614daef22

SHA1
b5919ddc556b01eb4c0bc1d78aa48a5a18c5ab32

SHA256
e3e85ae8a11abc2c8b59aa29010ddad7b052dc156b689943652a5e477f86ab37

SHA512
cd99459ddf5a3a22fc7087e7f1e5775dbee52252a49197d2de43f352f1fdb738d35dc3b3bb0667b98dea232d7dabc008d2f1babad59f90733d91182f07e1eef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcAw.exe

Filesize
207KB

MD5
774d2a1d74d3aab2073024bd497fd069

SHA1
fdec8e8c3f3db1eb877cab27db3bc7e5b1529a37

SHA256
0cce70689b731c2b335a6156bf40b74207a210127d0042bc3e2cbf64c2dac219

SHA512
cffe4c49f17613063fa43885c89567c84fe635c4616b84254d7e27fbc8f26f20595634a048702542bcda310ac48239594cee109c8ab6b3bb6cd5295c23dbe7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgYc.exe

Filesize
209KB

MD5
c63ef53e455604f9beb1760ddd68d366

SHA1
e584114f82d02053077b86fd425e0fed311b6110

SHA256
9cadd7186bc261f9e7261fb833cf24c342a789a2f920050e42b09abad4192446

SHA512
c4fead63923fba9ba0f74330dfba3e2c9465c3eb4a736d5b72140f544ada5cc600aa9ed9e88924d6e1df55d684532758a6fc13e9dcc7dfc1caa9583fc2c23d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgwA.exe

Filesize
191KB

MD5
d7341a689022da81176b9e244fde2be1

SHA1
a12045b7f5cb5ce85c9b6fb72f548de5326e960a

SHA256
b0314ed8bae4717e508b55c32ace8884d4bd492b946048b92415b83b32a8ffa4

SHA512
c8b387f16414f3921e604ac1be3ab62a27d7c47bfb2525206540f65a1c1c121ef68e03f2c29c2cbdd2e0ab2d45f79cc12af274a7a1b6ac8581d535c21d4106a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkYK.exe

Filesize
222KB

MD5
8d030aa33ef9a724406a19514ad11670

SHA1
aa2b51360a3c479d97aa7e764c03518c84c74a48

SHA256
9f0a98ee07d0b53d1d10e654150b73cb9b6b8a06cad9dcec78b32b3946f9f08c

SHA512
a99d790cddf98ac0d96edbbe786eccaa9c78a4ec503ad1bab2ba86a88cd284b2b797a0eee375adfc289f3b442327dae367c55d98a682e1a01af7cdcf7e87ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwMq.exe

Filesize
202KB

MD5
311feade29d19d3dbee1a1cf6b703ec6

SHA1
cf72415d1dabea41e69752635e1af7227d435996

SHA256
8bd62397182278b2fbf1b73b1d558d9dc9322b3e11a0692942aa0fc70bd9c95e

SHA512
1b1e6a931049f7482ac9090effda1a7e991b34efed7b84e75d443292c291bf7bd466e406e11aae40dfef95fc8af6c89de77777d4aa68e9c9470275cbce7a015d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgMQEUEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UocY.exe

Filesize
423KB

MD5
270d92a484a0f729b3698864b443a28e

SHA1
5eae6e5f649f484ed0d900a091677698dc0af480

SHA256
ad06743c76e21267d4e05220c90d63f6a6f64f763975b53a1f5634ebedfcc056

SHA512
897bf84f0037ee1ff23ef1ba7d9cae5f91076023c39549441c04bb6b0e3399fdaf8e91f68706f79b3d6e2b8e2349e0e9a12056bd5b284c8f7722427c44fcf214

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwga.exe

Filesize
386KB

MD5
f871cc7da1a44ea4219aa610210e3f7a

SHA1
abdcb63adb9e57d5f096159af8eee01d1e3c8b22

SHA256
cc09e1a42abe37da16b648a96a7e6ec2812be74b7aa0e335ebb2cb2525636644

SHA512
2609772018d2b7f52ee81d188dc2f70c742d4a9202142c7a22501107fd1d60124b97ff6854370ac6a943d6f3d5220bb4f83d796c7463fd020a0a3105604215a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEgQ.exe

Filesize
200KB

MD5
6ff2366f3ecb80f889b0dd7c52eef103

SHA1
a7a7d86b84061cfb0d723e21be575dc6bd509015

SHA256
8f9ef409a2d84f54d0b7c4a62b4dc80f3ea059a11e845528f05d1fb9dad1e675

SHA512
af56e283f4125cb9cdedfbf661f628133e32fd399805f5c4a3e4b433dead0ecdcfad231c02ddfa09c151fab852dd092864f63a84d2f937f84f9eda046fa1ef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcQkMAcE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWkMAQUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XskcIgoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYsa.exe

Filesize
202KB

MD5
ecd026ac0dbf8a3df999bca636b0e9ae

SHA1
d1655178d94673ffe946b97211260f42ee4ab5c5

SHA256
468041bf828de3dd59406bd76a257270c28958d870afbe94c8957b759ea4480f

SHA512
f38f0f7682d45e3fa8ad0f7ae767ab9847e801e983b9df68f012ab529e7b6d86cfcf3c0b982901bf8224f2025fbfd27924a99f1ca52e45126ae3efcc4796eea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsUy.exe

Filesize
193KB

MD5
b198c2593d2307a13fecf811b3c7fd9a

SHA1
ee6543e65f6efc3b888107dc0c741e6714971562

SHA256
f1a9c23b7739330fb40f11af33c31e85fb443a17f14d8360926cf43dcf9b1a0d

SHA512
990954385da704fedc94076f860e2ef55a9510f0c6e6fe470279ad0c56b697300d8400807786b3ef976c4b88d2284e27d3ee9fd48f82acec8d5c99a62d0f23bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywcy.exe

Filesize
207KB

MD5
31ee5292c7329c2c2c3e0c77b24e16a3

SHA1
2498dc8b570fcbe4b9958df2e01949cfde315732

SHA256
c839f1f9f385f9a9826812923b51780d6dc19388c6e2f4c15baf4dc0a293a0df

SHA512
c3b087fd44ce19928a9035c5036e16dbf63dd3f8654eb5de9608d2d52e1002f00c5920d610185156a6974c3d54a8f430de1d2efae3649382cc1c15129b1f2ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIEM.exe

Filesize
187KB

MD5
befad0e11fdeb4b2f37cfd19f48e4d73

SHA1
fce74e15948d6c8c3bc0773313a672bcbbccf3cf

SHA256
01c000497d2a906c2b3f75eeef558022497208dd755e33596f53fea73bc9f7aa

SHA512
599da64948e5884bc922ec7c2d6b564b16f23c823d1f473b593a0429c83851ede1a4f1f7039c5af3d608103b294a6808566bdecd770b56fad19b8b1f9792d51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEi.exe

Filesize
497KB

MD5
c2e8afa16ee4f456c626b0ba62a7dd11

SHA1
f45b44787e895b00d46f73bc79c4595fb74da10d

SHA256
a3c202f79d704690c4435d5828f7c343622193366fc670ba218ddc5d406c9a16

SHA512
def451cea69707729f4173ded4308d00376712c39ccf64a5ff3b2844e105c7a7e77dd9fe63dc795005b8c8af3e8fd479b2d8f93bb040607d8eb8bfd62e66aa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYIM.exe

Filesize
204KB

MD5
8b9814d99c1659f96016e9e90f922037

SHA1
39d2b4d2c45e1bb1d855047e2d704665b0665d8f

SHA256
33e6d6122175d38b1249980d87cb50d3d93fce1d2c99d2b0771df1a5a37cf70c

SHA512
c5c28d193df1d6a1f0eaae983297c6337436bba480d62d44947fe2983056795e528e9701e18ce4b187b7fc3fe5cbe30fe0eceb26d1409aed23c3c1c7a8d36515

Download Submit
C:\Users\Admin\AppData\Local\Temp\boQe.exe

Filesize
202KB

MD5
8f56635f1ee5ccdf278294b5d9c6e564

SHA1
3ad9830811f9afc0ac9a1471d80354aec5b5dcd6

SHA256
4dd88368d7f98689de082e9442493198f3329ea947ca027d613ad6f06fe7a084

SHA512
78656728934bce7f07af203b929d36b2a8bdaa8ef316733e35cbce0ecc0838a892a41948cb7f49f87c2e02431167e46da8876e7eccc53ae72854a32d60c98e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckky.exe

Filesize
187KB

MD5
9b953c19ae2880cf7794ed9441f7c6e4

SHA1
a40f23ad774f67381a152e6ce52533fedae9bd53

SHA256
36dbad571e0b062be3e8682a60171540b34beeed5545da970e333174f961fa9b

SHA512
fa2c6a8c6c3ad166f363f69972fd3debcc09199474c298ecd668981a3e27a2b7f7c438ab8bba37e928b22672bdd70415306a49c3ee8a052b5951581a7e85cf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\cowY.exe

Filesize
653KB

MD5
725ad68cfd441eae58a4d58ea7161309

SHA1
762d5eee1b2b9238e41b03b026b93574c17d9459

SHA256
e48c510b1dd270de510774011ba65bd871b10264222e948add10eea445125667

SHA512
18088bbc5cd055dba38c0537008f8feaa5f5fcb0d98c4a82bdafcd49d94cb716cfe82fbe0cace1ca983833a520f3779fee6d0eb8d2e41ce26bafd56e18507aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcce.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMkQ.exe

Filesize
636KB

MD5
8f8f86d4a22fef84ae7b168f823e4506

SHA1
6badf026ae9b1bcb824a932b5605b9c213bc53d0

SHA256
13b26aa2b73c3fe61dd44fd764cea8b8c7dc06a221d2f67348638475c5cd337a

SHA512
1480f3d3169d4200df2c0041a92bc83d5ea990f2cf1c12802e0011d29b1b15d5a02f1c3b06e02942c28b17397d138b5172cb1407eab48fe42f8cab67aa79ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecAO.exe

Filesize
238KB

MD5
66e204ebe90ae51986ee43b2a25ec092

SHA1
d231149a6981bab2abd6e1fdc04855a27e7cf7a1

SHA256
7dfadd3c1c9eaa10549f4708b8a088a3ac314e021ec26a6a28cc1007dc5ebf01

SHA512
4d5951134b62772b31f557b59b7832e642c8a5c295322c587adb3baf47c3e6364bd70fa6496df56d242712c1ea42a27703980abe9e09a6c2f60e990ebcca5476

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMMC.exe

Filesize
188KB

MD5
0965a8a81e50b0364c9f38cfadac119d

SHA1
5c992ce472b80bc9f65c185cbb23edd2c0aa3829

SHA256
0a0c6a4d5f668e2aea5018a4631730e378add7c34d9d059382a02bce432d9efc

SHA512
410f6b330c9c2fcf77e9a19f1314257cda486df416e12cbb82ba9673895812183838e82130f4a18a243d56f10928fde61f1bc047fa8dce6de6ad25952c1c1f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUMAYkIQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwkE.exe

Filesize
638KB

MD5
ffcc7d84776e34591cd5fd4cf17163b7

SHA1
b3183fd7028c48c66bb5b5385aed4a63e6546312

SHA256
269a553a5b82ab24f9a57ba6ecf0bdb0ab6f13cd57deb721396366831365d1db

SHA512
4edcde3f0ded66295117dd432354a5b11d072c275bb2cb6ba139dfa2528dfdb5a7f938bc83e915accd82b85e098a4c4ccafdd86ea5957043257d6203aa257b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\goIm.exe

Filesize
203KB

MD5
4fab9edc4e9fa29eacb1593af482ca8a

SHA1
d88a414dc1c416d18818754538e0ea8c774454cb

SHA256
c768a74806a9ad18cc60c84b8c46f4a34b236d43ee67553466cb9d9f952c1768

SHA512
53ee2c090feab562866bf3d7dfc214903b63a9f2981a7816123d9e077a7ff325d8c9f103365cc3ab08b24d98594371d95fef50a3fcc79a69af3028d65cfe7e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwww.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMoU.exe

Filesize
773KB

MD5
24cf79af136084de7f9c3a5abd2bd08c

SHA1
1aa89b872c31f98114f1b1b6643b445a53c704c9

SHA256
9c61047b1cfeb62103f1499c2f238c850deeef6e13891bd07b28484534e849a3

SHA512
95f0626f06bd54b8d575916cac57f3b76e764776650359afcf8a4796ac2f386a9f5411469fc9c3ac60f910675c16071b96898191b358040644f67d381c893259

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIsw.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgwgMggs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQgk.exe

Filesize
207KB

MD5
f06004680c6a25f9dec660903f50aff8

SHA1
3d268e9b6a95e4ed5aa8bcee3325217131df1622

SHA256
f6a4c700c7619e2b5c5c0abb70e5e5c9f1f6f8461f7e42f88c4244b329abd388

SHA512
834b1640c70008e7b523907a3d0c0bff519d88091984d61b17b27032f7f580be6a1f9406cac1324ae4dfb3e7a66852f7679ffa5f4b3e6b93a467e6668172ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAMu.exe

Filesize
199KB

MD5
4ebde1053d1e24395d7400540dc34bcb

SHA1
07787f45d6bd33e419110c481d4460772833f7de

SHA256
9b3cb14812bb0b405404841c421b41f56270f5203a9c37fc7538a32d7a5d525b

SHA512
1597afb7c494632d6a339196303e094f4c49208256c50cd7561e3c1453e3717949449135100141685a3a6fc272d81dd27aa3ff55af25c3509ee5b4d3a11bf286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAUK.exe

Filesize
194KB

MD5
2da5b9c43c140878a5e6ea0ab8b00472

SHA1
c3b62db29b50a6e2db5953f2bc93c63d64916203

SHA256
a460606cdaa9150d0ca5bcf8247e64386904241a1e4918d4b19cd2a6cc7c2ed7

SHA512
dff4adf487685da9a2556bc3447910cea2881fa1af073b991d144c52b3ef05940c3ec0694175a77d74004694e54040dc1bb22c006caf13ac1703c04b637d432d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEsS.exe

Filesize
277KB

MD5
56bd6a5b285b15be53c12909f332b1b9

SHA1
26c4d1475019e572d373f0d86311a693776944d6

SHA256
f99320d0831133cb5cfe6c4ecd07d6659146ae1174363fef122e6363dbb72dc3

SHA512
298778aa3e0fdfcc9c2d6fe5cac145f3ca93de3e9555881e7385a4f72ca71d39e5314c863dc2fcda703e9d43266910e81431bbc46d84ab5181aa64e0b12f5d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIQw.exe

Filesize
209KB

MD5
5b41abd21134c286f89c66f3eef4d3bb

SHA1
2475d4ea8bd0ba7481b6c379213531b97968fa92

SHA256
29266b551231bf45a5af969aa6c9e31da8467e27b05ce0348c765940ba234799

SHA512
5bc7e266ae8b8a7b7eff1400183fed73b739677268698b5cbaf7af43d10bc496697c630a7fc98ddb5358c726d7b36e802b1d1aa4569c0898ec1e65939775e2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsIs.exe

Filesize
227KB

MD5
c6d81487e74e14e158324b15c1472d17

SHA1
dcd5380383c19cab28a31624563af4ae663a212c

SHA256
9e2c42202ea6383064429fa3ff3dfab8868d24ae03b540b0fa135ca09d0ed4e0

SHA512
eb44e7ef0a487ef07ea8bcdd8f51b9f727e23ce77d5b2f689e70a996c697e51ae016dcb1d6659c5bbdfb3b8b868e356dd2ec7d4ea4e77de220b0085f5db2df56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwAW.exe

Filesize
195KB

MD5
cd0ba2dc79ac6ad349fab16a844141d9

SHA1
749d2690b26fdfbd19cd1e3439b211ea7a9a06fa

SHA256
e9548cbc871081932e9471e2ef3e7bb95d75675264912887ec37ba2b0663aa91

SHA512
a1360f41cd7ed6e3e1581bbe3e581602f06731e72c4ba717c66749a01d9bcf6460fa51f4c8e74069f0fd7cf89d1928be499f1c0a2a7a94abf18435b58088ae36

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSgIMkkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIcq.exe

Filesize
202KB

MD5
36c80181aa60e1e77cff18109bb8cf96

SHA1
af11a94a4afd506b7547e71359665d178a8d3c93

SHA256
07029401fbf59fe447dbd56a5d0f30ca0bee57d86bf5b20fe67d6b2320efd6c5

SHA512
b1512c1aaef3c100c22422a766fdc184cceb6add1948035d5120d10b369de83056285e528e02bb30f2091b2cd8cdb8329884a9a932b185001a61d9bb8fcb03f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcYkssw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIow.exe

Filesize
834KB

MD5
11c561cb63d57d3e61db6ecdc1b01ad5

SHA1
df45efc37110cfd8730097d08aabd000ddfac671

SHA256
ccc946da909e97e227c04f32abd0caa67fb3ed9425f8d8e9c5072d9277827547

SHA512
47f9b64c92728fede071715fdfcac53695d502c958c5e6e7c10441dbcf31aaa04ebd7aac3c6f1260bad92afab118e7f71d4979b82eed805bd2a4290f2800b7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOUMEYkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vagksYgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOcwwQwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsYC.exe

Filesize
183KB

MD5
be303c8a63cb51f2944b29adab2e8320

SHA1
5492a4b2822dadca60a4166ae1fe165b1674af70

SHA256
5e6e30ae87b8f09ab8693b75fbd8f76202eb17859504e05dfe6e827b5201513d

SHA512
2f4a9e88cb308b39d6c2cbde71ec8fb1be60e911c415abfde8815293dd32d09305dc9fb88428a2c760d46487abe1745b021343b1819705956c88818d6d1f5d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcU.exe

Filesize
202KB

MD5
1910fc8dd5066ac3112873e9342ea02d

SHA1
a50369ccf06553739ee56ca8c1954a154482aaab

SHA256
97f28fecc0e449172077e2854e095676a8a2ecf743636d1f7839b7600510b83a

SHA512
ddef0fcd8bc5f251e3d9b25a0946d9cccd9770e5e8a2838b327c7f548b2f39e41597bd8caebfb6286b2eb4e9864ef7d28e532fb4523890717dc1ba235d6f23e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMUS.exe

Filesize
196KB

MD5
1f76a55b52df93eeca179504c912b1b7

SHA1
8c54a91f8f9842d7382e30bb198652075d8b57d1

SHA256
2c27780a4ce86252ca47f1792d81132309d4c48a57f76ee1869f4ce1a9d59aa5

SHA512
093317da6112122d85f2dbfbf921ab9ce3a9df589846d61e2058019be32bf385593e07d4ff09493db7ecd517112d5c5e90b11c36f40bd96d4f07586473ac0667

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkUI.exe

Filesize
190KB

MD5
27ea8f707f996ad5c817c08f79d18f6d

SHA1
ce82b14ec67d085c59304ef639c6f54282da8a13

SHA256
95b6713a2ecf866c6d809f0b8791b7202475b329a3d5f4868532e59dfed4417c

SHA512
7f705bf5b39874b5cc341901a2a60c39a740a57d790d701eb20d3f5f0c53bf832a4de390b568591030b4a36e0f49a3d3ce834ca373520de09bf73d5fd8d48d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\zowu.exe

Filesize
199KB

MD5
c26203799062c3d94132ecc1cf26a0f0

SHA1
5bbe2fbb364d897a74eba11577a61a323ed8ae95

SHA256
8c023c6e1c5c27e5a91cdd4d067178860269dfd6349f0aaa8dc62fe86db2849f

SHA512
b21dff364efbc36195ee6945325d2f928e2ab601e6113fe5d02d13b427e3e26fd75e93cb59c77852ba573a19c330fe0661040efdd704b4c29696ce764d505e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwom.exe

Filesize
195KB

MD5
46f1f23104ba60025e5c3296ef97fec1

SHA1
7c80671a41f141c5f666410c3ccb6b0bbc102630

SHA256
164bc5967f67020cc9ee2666b52c7133b6a60895defbb91ad64a79bca35f4a0a

SHA512
8929136bc765ce739691b87ceb764ae7ea8649d0c96bba4781a39290b5c85d21c3e23a2980c67a31be34787e5f77881e7190a1d64ad96f0fab9936ac237f7ee0

Download Submit
C:\Users\Admin\JcEIsUgw\sEwAgoAA.exe

Filesize
185KB

MD5
76a151deb7afadd08332371d05af60ad

SHA1
07192a8fbd41e069d43d08c461dee470843ebb9a

SHA256
9fab3053cafbd32741c902788a22d764b69fab46f7f26c850cc2e013b616363b

SHA512
90c079bf6e381ec20f4186769c1edc4685a655f4db051c94a567e46ad2b2c3e36e4b3334bf581408dc9db744567a9db701781a2bfea7f56fa924378258ffb797

Download Submit
C:\Users\Admin\JcEIsUgw\sEwAgoAA.exe

Filesize
185KB

MD5
76a151deb7afadd08332371d05af60ad

SHA1
07192a8fbd41e069d43d08c461dee470843ebb9a

SHA256
9fab3053cafbd32741c902788a22d764b69fab46f7f26c850cc2e013b616363b

SHA512
90c079bf6e381ec20f4186769c1edc4685a655f4db051c94a567e46ad2b2c3e36e4b3334bf581408dc9db744567a9db701781a2bfea7f56fa924378258ffb797

Download Submit
C:\Users\Admin\JcEIsUgw\sEwAgoAA.inf

Filesize
4B

MD5
bb7180df168cbeb06ccac4b1208d6a7e

SHA1
9a9db79fe006cc115e16389cba6eff33789ea72f

SHA256
5ca9aa5f57bca1c9c4d6081aaf6581b51fd8d89b6fc73cfb386bb16d7f838552

SHA512
11a891f707bedf4656e887af1fbf9c74f9ff661ce3f682108551a0a18dd910954a580dc0ff21e7c53a99789ee24928b94c0c6398cdc6283007a39909d8468895

Download Submit
C:\Users\Admin\JcEIsUgw\sEwAgoAA.inf

Filesize
4B

MD5
7e948b51dbfcfc827b09e38c0d47e92d

SHA1
7f209f3a4593c6e0d671b0fabe856beb9407080c

SHA256
d79bf026c1950f8775c8e62f8e8871c8a413d19b352a3868001242cd95c3e0b7

SHA512
f23748ca3691c2e1dde9cfdf7020c3b095691650c2a15ffb6390723af55e5d627bfb52d221fbe06a06250360d0f94509fa335eddee6ef0f9bf5f6fdda7b52e6b

Download Submit
memory/116-383-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/400-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/848-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1124-321-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-439-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-448-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1412-558-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1412-549-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1428-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1428-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1496-391-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1496-603-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1560-518-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1560-530-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1632-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1632-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-503-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1704-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-476-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1744-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-164-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2064-133-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2064-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2204-583-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2204-595-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2268-567-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2268-559-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-411-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2536-511-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2764-550-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2872-578-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2900-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2944-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3104-346-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3272-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3272-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-477-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-485-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-539-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-532-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3776-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3880-177-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3880-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3908-522-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4208-466-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4316-410-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4324-494-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4492-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4684-299-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4728-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4728-393-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4908-573-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4908-587-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-421-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-430-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download