84723ebfd4d98baaf0cd21ebd0fc695734ea99ecd946d9ba334199de65d0221a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70fc1cb8040d8c_JC.exe
Size

329KB
MD5

70fc1cb8040d8cf805935315c7748542
SHA1

c266c308eac95687553a3577fee1438714681535
SHA256

84723ebfd4d98baaf0cd21ebd0fc695734ea99ecd946d9ba334199de65d0221a
SHA512

5e0ced633bf82472886b8c5fa15701a5d1cddeb262a10d44930955e0cf6da7e720323bb7e2ea73150e186e30dce8d7066c34f32fa8761c86440725718c140414
SSDEEP

6144:jVBjI4zHp2b1I1NXp3AdoIFr52mmWGZNBS5qldVbNb5vx+FF95ri1HswCDXNrGV9:7IQ0b1IX90oIFr52mC3S5q5to5W1HAjk

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DllHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	cQUEwEkc.exe

Executes dropped EXE 2 IoCs

pid	Process
4884	cQUEwEkc.exe
1928	HKkcMEIs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cQUEwEkc.exe = "C:\\Users\\Admin\\dyAIYgoA\\cQUEwEkc.exe"	70fc1cb8040d8c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKkcMEIs.exe = "C:\\ProgramData\\PgwYEAkI\\HKkcMEIs.exe"	70fc1cb8040d8c_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cQUEwEkc.exe = "C:\\Users\\Admin\\dyAIYgoA\\cQUEwEkc.exe"	cQUEwEkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKkcMEIs.exe = "C:\\ProgramData\\PgwYEAkI\\HKkcMEIs.exe"	HKkcMEIs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GaEkYwMk.exe = "C:\\Users\\Admin\\waYowsks\\GaEkYwMk.exe"	70fc1cb8040d8c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IckIYwsE.exe = "C:\\ProgramData\\gcIEMYIA\\IckIYwsE.exe"	70fc1cb8040d8c_JC.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	70fc1cb8040d8c_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	70fc1cb8040d8c_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	cQUEwEkc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	HKkcMEIs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4940	1448	WerFault.exe	136
2216	1232	WerFault.exe	139

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1820	reg.exe
3448	reg.exe
544	reg.exe
2132	reg.exe
4680	reg.exe
884	reg.exe
4376	reg.exe
4000	reg.exe
3748	reg.exe
628	reg.exe
2496	reg.exe
4044	reg.exe
1080	reg.exe
1952	reg.exe
3508	reg.exe
3752	Process not Found
4900	reg.exe
4852	reg.exe
1452	reg.exe
3616	reg.exe
4204	reg.exe
1660	reg.exe
4568	reg.exe
3948	reg.exe
4232	reg.exe
4164	reg.exe
4376	reg.exe
5084	reg.exe
3560	reg.exe
1660	reg.exe
4408	reg.exe
1308	reg.exe
3716	reg.exe
3348	reg.exe
1420	reg.exe
2272	reg.exe
516	reg.exe
836	reg.exe
1848	reg.exe
836	reg.exe
1864	reg.exe
1064	reg.exe
1660	reg.exe
3376	reg.exe
1524	reg.exe
4268	reg.exe
4132	reg.exe
4116	reg.exe
4972	reg.exe
5104	reg.exe
884	reg.exe
3232	reg.exe
2164	reg.exe
2228	reg.exe
3600	reg.exe
4916	reg.exe
4376	reg.exe
2436	reg.exe
1100	reg.exe
5084	reg.exe
920	reg.exe
4916	reg.exe
1804	reg.exe
1884	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	70fc1cb8040d8c_JC.exe
1212	70fc1cb8040d8c_JC.exe
1212	70fc1cb8040d8c_JC.exe
1212	70fc1cb8040d8c_JC.exe
2084	70fc1cb8040d8c_JC.exe
2084	70fc1cb8040d8c_JC.exe
2084	70fc1cb8040d8c_JC.exe
2084	70fc1cb8040d8c_JC.exe
4464	70fc1cb8040d8c_JC.exe
4464	70fc1cb8040d8c_JC.exe
4464	70fc1cb8040d8c_JC.exe
4464	70fc1cb8040d8c_JC.exe
3392	70fc1cb8040d8c_JC.exe
3392	70fc1cb8040d8c_JC.exe
3392	70fc1cb8040d8c_JC.exe
3392	70fc1cb8040d8c_JC.exe
1344	70fc1cb8040d8c_JC.exe
1344	70fc1cb8040d8c_JC.exe
1344	70fc1cb8040d8c_JC.exe
1344	70fc1cb8040d8c_JC.exe
3052	70fc1cb8040d8c_JC.exe
3052	70fc1cb8040d8c_JC.exe
3052	reg.exe
3052	reg.exe
2812	70fc1cb8040d8c_JC.exe
2812	70fc1cb8040d8c_JC.exe
2812	70fc1cb8040d8c_JC.exe
2812	70fc1cb8040d8c_JC.exe
4792	70fc1cb8040d8c_JC.exe
4792	70fc1cb8040d8c_JC.exe
4792	70fc1cb8040d8c_JC.exe
4792	70fc1cb8040d8c_JC.exe
1840	Conhost.exe
1840	Conhost.exe
1840	Conhost.exe
1840	Conhost.exe
3012	70fc1cb8040d8c_JC.exe
3012	70fc1cb8040d8c_JC.exe
3012	70fc1cb8040d8c_JC.exe
3012	70fc1cb8040d8c_JC.exe
3340	70fc1cb8040d8c_JC.exe
3340	70fc1cb8040d8c_JC.exe
3340	70fc1cb8040d8c_JC.exe
3340	70fc1cb8040d8c_JC.exe
3800	70fc1cb8040d8c_JC.exe
3800	70fc1cb8040d8c_JC.exe
3800	70fc1cb8040d8c_JC.exe
3800	70fc1cb8040d8c_JC.exe
228	70fc1cb8040d8c_JC.exe
228	70fc1cb8040d8c_JC.exe
228	70fc1cb8040d8c_JC.exe
228	70fc1cb8040d8c_JC.exe
3372	reg.exe
3372	reg.exe
3372	reg.exe
3372	reg.exe
1284	Conhost.exe
1284	Conhost.exe
1284	Conhost.exe
1284	Conhost.exe
1816	70fc1cb8040d8c_JC.exe
1816	70fc1cb8040d8c_JC.exe
1816	70fc1cb8040d8c_JC.exe
1816	70fc1cb8040d8c_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4884	cQUEwEkc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe
4884	cQUEwEkc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4884	1212	70fc1cb8040d8c_JC.exe	85
PID 1212 wrote to memory of 4884	1212	70fc1cb8040d8c_JC.exe	85
PID 1212 wrote to memory of 4884	1212	70fc1cb8040d8c_JC.exe	85
PID 1212 wrote to memory of 1928	1212	70fc1cb8040d8c_JC.exe	86
PID 1212 wrote to memory of 1928	1212	70fc1cb8040d8c_JC.exe	86
PID 1212 wrote to memory of 1928	1212	70fc1cb8040d8c_JC.exe	86
PID 1212 wrote to memory of 4940	1212	70fc1cb8040d8c_JC.exe	87
PID 1212 wrote to memory of 4940	1212	70fc1cb8040d8c_JC.exe	87
PID 1212 wrote to memory of 4940	1212	70fc1cb8040d8c_JC.exe	87
PID 1212 wrote to memory of 3600	1212	70fc1cb8040d8c_JC.exe	96
PID 1212 wrote to memory of 3600	1212	70fc1cb8040d8c_JC.exe	96
PID 1212 wrote to memory of 3600	1212	70fc1cb8040d8c_JC.exe	96
PID 1212 wrote to memory of 2440	1212	70fc1cb8040d8c_JC.exe	95
PID 1212 wrote to memory of 2440	1212	70fc1cb8040d8c_JC.exe	95
PID 1212 wrote to memory of 2440	1212	70fc1cb8040d8c_JC.exe	95
PID 1212 wrote to memory of 4580	1212	70fc1cb8040d8c_JC.exe	94
PID 1212 wrote to memory of 4580	1212	70fc1cb8040d8c_JC.exe	94
PID 1212 wrote to memory of 4580	1212	70fc1cb8040d8c_JC.exe	94
PID 1212 wrote to memory of 1540	1212	70fc1cb8040d8c_JC.exe	89
PID 1212 wrote to memory of 1540	1212	70fc1cb8040d8c_JC.exe	89
PID 1212 wrote to memory of 1540	1212	70fc1cb8040d8c_JC.exe	89
PID 4940 wrote to memory of 2084	4940	cmd.exe	97
PID 4940 wrote to memory of 2084	4940	cmd.exe	97
PID 4940 wrote to memory of 2084	4940	cmd.exe	97
PID 1540 wrote to memory of 2480	1540	cmd.exe	98
PID 1540 wrote to memory of 2480	1540	cmd.exe	98
PID 1540 wrote to memory of 2480	1540	cmd.exe	98
PID 2084 wrote to memory of 4864	2084	70fc1cb8040d8c_JC.exe	99
PID 2084 wrote to memory of 4864	2084	70fc1cb8040d8c_JC.exe	99
PID 2084 wrote to memory of 4864	2084	70fc1cb8040d8c_JC.exe	99
PID 2084 wrote to memory of 1240	2084	70fc1cb8040d8c_JC.exe	108
PID 2084 wrote to memory of 1240	2084	70fc1cb8040d8c_JC.exe	108
PID 2084 wrote to memory of 1240	2084	70fc1cb8040d8c_JC.exe	108
PID 2084 wrote to memory of 1464	2084	70fc1cb8040d8c_JC.exe	107
PID 2084 wrote to memory of 1464	2084	70fc1cb8040d8c_JC.exe	107
PID 2084 wrote to memory of 1464	2084	70fc1cb8040d8c_JC.exe	107
PID 2084 wrote to memory of 3052	2084	70fc1cb8040d8c_JC.exe	106
PID 2084 wrote to memory of 3052	2084	70fc1cb8040d8c_JC.exe	106
PID 2084 wrote to memory of 3052	2084	70fc1cb8040d8c_JC.exe	106
PID 2084 wrote to memory of 4564	2084	70fc1cb8040d8c_JC.exe	101
PID 2084 wrote to memory of 4564	2084	70fc1cb8040d8c_JC.exe	101
PID 2084 wrote to memory of 4564	2084	70fc1cb8040d8c_JC.exe	101
PID 4864 wrote to memory of 4464	4864	cmd.exe	109
PID 4864 wrote to memory of 4464	4864	cmd.exe	109
PID 4864 wrote to memory of 4464	4864	cmd.exe	109
PID 4564 wrote to memory of 2280	4564	cmd.exe	110
PID 4564 wrote to memory of 2280	4564	cmd.exe	110
PID 4564 wrote to memory of 2280	4564	cmd.exe	110
PID 4464 wrote to memory of 2120	4464	70fc1cb8040d8c_JC.exe	111
PID 4464 wrote to memory of 2120	4464	70fc1cb8040d8c_JC.exe	111
PID 4464 wrote to memory of 2120	4464	70fc1cb8040d8c_JC.exe	111
PID 2120 wrote to memory of 3392	2120	cmd.exe	113
PID 2120 wrote to memory of 3392	2120	cmd.exe	113
PID 2120 wrote to memory of 3392	2120	cmd.exe	113
PID 4464 wrote to memory of 1620	4464	70fc1cb8040d8c_JC.exe	117
PID 4464 wrote to memory of 1620	4464	70fc1cb8040d8c_JC.exe	117
PID 4464 wrote to memory of 1620	4464	70fc1cb8040d8c_JC.exe	117
PID 4464 wrote to memory of 3116	4464	70fc1cb8040d8c_JC.exe	116
PID 4464 wrote to memory of 3116	4464	70fc1cb8040d8c_JC.exe	116
PID 4464 wrote to memory of 3116	4464	70fc1cb8040d8c_JC.exe	116
PID 4464 wrote to memory of 3340	4464	70fc1cb8040d8c_JC.exe	173
PID 4464 wrote to memory of 3340	4464	70fc1cb8040d8c_JC.exe	173
PID 4464 wrote to memory of 3340	4464	70fc1cb8040d8c_JC.exe	173
PID 4464 wrote to memory of 5080	4464	70fc1cb8040d8c_JC.exe	114

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	70fc1cb8040d8c_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	70fc1cb8040d8c_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70fc1cb8040d8c_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\dyAIYgoA\cQUEwEkc.exe
  "C:\Users\Admin\dyAIYgoA\cQUEwEkc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4884
- C:\ProgramData\PgwYEAkI\HKkcMEIs.exe
  "C:\ProgramData\PgwYEAkI\HKkcMEIs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
    C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        8⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        9⤵
        Adds Run key to start application
        
        PID:4952
        
        C:\Users\Admin\waYowsks\GaEkYwMk.exe
        
        "C:\Users\Admin\waYowsks\GaEkYwMk.exe"
        10⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 224
        11⤵
        Program crash
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        10⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        12⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        13⤵
        UAC bypass
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        14⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        16⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        18⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        19⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        20⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        22⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        24⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        26⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        27⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        28⤵
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        29⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        30⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        31⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        32⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        34⤵
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        35⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        36⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        37⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        38⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        39⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        40⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        41⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        42⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        44⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        45⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        46⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        47⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        48⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        49⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        50⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        51⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        52⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        53⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        54⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        55⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        56⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        UAC bypass
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        57⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        58⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        60⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        61⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        62⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        63⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        64⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        65⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        66⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        67⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        68⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        69⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        70⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        71⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        72⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        73⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        74⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        75⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        76⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        77⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        78⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        79⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        80⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        81⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        82⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        83⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        84⤵
        
        PID:2512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        85⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        86⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        87⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        88⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        89⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        90⤵
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        UAC bypass
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        91⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        92⤵
        
        PID:1840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        93⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        94⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        95⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        96⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        97⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        98⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        99⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        100⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        101⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        102⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        103⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        104⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        105⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        106⤵
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        107⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        108⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        109⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        110⤵
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        111⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        112⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        113⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        114⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        115⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        116⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        117⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        118⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        119⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        120⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        121⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        122⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        123⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        124⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        125⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        126⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        127⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        128⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        129⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        130⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        131⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        132⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        133⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        134⤵
        
        PID:1344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        135⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        136⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        137⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        138⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        139⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        140⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        141⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        142⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        143⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        144⤵
        
        PID:864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        145⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        146⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        147⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        148⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        149⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        150⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        151⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        152⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        153⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        154⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        155⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        156⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        157⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        158⤵
        
        PID:472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        159⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        160⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        161⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        162⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        163⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        164⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        165⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        166⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        167⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        168⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        169⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        170⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        171⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        172⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        173⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        174⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        175⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        176⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        177⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        178⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        179⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        180⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        181⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        182⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        183⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        184⤵
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        185⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        186⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        187⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        188⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        189⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        190⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        191⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        192⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        193⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        194⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        195⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        196⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        197⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        198⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        199⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        200⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        201⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        202⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        203⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        204⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        205⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        206⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        207⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        208⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        209⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        210⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        211⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        212⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        213⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        214⤵
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        UAC bypass
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        215⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        216⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        217⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        218⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        219⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        221⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        222⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        223⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        224⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        225⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        226⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        227⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        228⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        229⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        230⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        231⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        232⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        233⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        234⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        235⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        236⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        237⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        238⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        239⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        240⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        241⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        242⤵
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        243⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        244⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        245⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        246⤵
        
        PID:420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        247⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        248⤵
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC
        249⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC"
        250⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAUQoIc.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        248⤵
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWoUAcIM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        246⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        Modifies registry key
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIUwQkog.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        244⤵
        
        PID:3616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roogQgAw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        242⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAgwIoEA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        240⤵
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        UAC bypass
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcwMccwA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        238⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkQUcoYY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        236⤵
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOMkkkoc.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        234⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WucgMsAM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        232⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEEkAsEA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        230⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeYkYMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        228⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:1240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WewgkoMo.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        226⤵
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgUYYcEw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        224⤵
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAcAQYwM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        222⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAIUkcAY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        220⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyMcwMUU.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        218⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsUIMMMY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOwUssEk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        214⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyMcMYYA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        212⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMcAAUos.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        210⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOkowUEk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        208⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        210⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        UAC bypass
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        UAC bypass
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwwUIIgA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        206⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgkQAgos.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        204⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQAkwooU.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        202⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKAgQAYM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        200⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKAAMAoA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:2228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGMUMwYM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        196⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeskcYcc.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        194⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agwkUwEw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        192⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykAMYIYg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        190⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIgsgMME.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        188⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        UAC bypass
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCQwcYgU.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        186⤵
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAgYsYIk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        184⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeIUIUUk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        182⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAowEAws.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        180⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymUEYYQM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        178⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AasckccA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        176⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYoYMwgs.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        174⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCMIwEUA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        172⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiEQYgso.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        170⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEUsYsAM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        168⤵
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        UAC bypass
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoEMYYQo.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        166⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGowEAMU.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        164⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOkcQYUI.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        162⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYQwsMAw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        160⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEsUgAYg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        158⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeswMYoM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        156⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcYUEsYg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        154⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCcIoAYg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        152⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        UAC bypass
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAYcksQA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        150⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyEQoUsA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        148⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMYIUwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        146⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caIIIcIg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        144⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByIUsYMk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        142⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgYgUYIM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        140⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        UAC bypass
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUwIcMQo.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        138⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmsokQEM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        136⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkAAYgIY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        134⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCQgogkw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        132⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        UAC bypass
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMwksIMU.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        130⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOosggMg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        128⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyEUoAAo.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        126⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyUEUIwk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        124⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSQEoYEo.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        UAC bypass
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYUsksAE.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        120⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOgYUAcg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        118⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgoMIkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        116⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMgAoYsE.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        114⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngcAUkcU.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        112⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqMAkYkM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        110⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiwMcYEA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        108⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egscYEEw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        106⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GioUwkEo.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        104⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEgcYcEg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        102⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aywkkQkw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        100⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmsUQwMc.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        98⤵
        
        PID:4264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOYMAUIk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        96⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyogAMgY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        94⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocEYYsMA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        92⤵
        
        PID:1940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAMIAwMw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        90⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        UAC bypass
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwgIgcgM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        88⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiYwAwwY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        86⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIQocAEY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        84⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWEwYQAU.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        82⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcgsQUkg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        80⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEcUYAkA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        78⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoEkUYIM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        76⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGUUwQIA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        74⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoYMYwg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        72⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIskYkkQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        70⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suIksIIA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        68⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMosAsQo.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        66⤵
        
        PID:1868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGcIkAos.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        64⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igEQsAso.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        62⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaQIcoUY.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        60⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYQcQIoM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        58⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKYEoYco.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        56⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEIswcAs.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        54⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKcQoAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        52⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwcUcQQg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        50⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taIcksAs.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        48⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAMwkEQc.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        46⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGEcccQM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        44⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYUUkkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        42⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcMIcwUA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        40⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCAsQAQw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        38⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pokswYIg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        36⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyUksUAA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        34⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQwAMYMA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        32⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAwkEkEM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        30⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKYAUcEI.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        28⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOIkMUgs.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        26⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysgcAoIA.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        24⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMogIEUI.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        22⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyEgkYMM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        20⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASogUUUk.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        18⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omIMYgIg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        16⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMgMMAAg.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        14⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCQkcQos.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        12⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1520
        
        C:\ProgramData\gcIEMYIA\IckIYwsE.exe
        
        "C:\ProgramData\gcIEMYIA\IckIYwsE.exe"
        10⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 224
        11⤵
        Program crash
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgUwIoss.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        10⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgIYIkUw.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        8⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAsQIMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
        6⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:916
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3116
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOowsIcM.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2280
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCkwcwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2480
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1448 -ip 1448
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1232 -ip 1232
1⤵
PID:4576

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:3632

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
329KB

MD5
68465cf2d3b4c7e25414bbc79c9f262f

SHA1
4db1b113e42ac37fd6a6e448652a4367233144f0

SHA256
47c8ed823cd0cbd780c4b6443557ce5e0020c5f153ae4412bc52a6bbb65e4b82

SHA512
6da1c9e1c72d841e9f85baed11bb951b7e2baca8d1130fc08645fd3d925635203a4b453543d574f50a32748e599533ecf1f8bf41ff89f6f9ea0a212f730d6463

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
330KB

MD5
f2d61ffc7b0aa2f17a8a7a780e7e3ff5

SHA1
5a389b8f661a71ce6baba8fe6cfd66717d4441d2

SHA256
c01a47dbf8b62cabcca23af42bfd9d34157a816ef1b5b5fe628aa1c1a96efb53

SHA512
87752b8967511ae7c8c31e35f04eb278587874269ea65d32a382f8f7eec2005f9e5094b5db7aeb1a2c35cad227ecd522a813ca574cea5e0c227ec337c60cad2a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
225KB

MD5
2350f0c5133d0cb4a855641715c4b3a4

SHA1
3b6870da03bcddfb41c7e3bf64c9ddad158fbffb

SHA256
738cdffa087fd96a9942affc863bfafb4bd1c1ca6fa4058f60fa1382fe4cf463

SHA512
f1450638fb35b2ce61d7772f9843a9b78a9d521e35d9470acf19a43145f9aafb31bf7182b9d43aba71daab26916eb38b8d91b419d6b4eaa60ffeb59d3cc5c3c1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
216KB

MD5
17548ffc74134a55fa8426652f1d9544

SHA1
e661ef8657ab8868fc889a2ac7f4f4f8eeeb15f5

SHA256
7ba47e54161de4ce29d86131376d6a2fc935e77c7e31efbd7baf1b76ba916454

SHA512
a4558a455e67c739b82b18d1d7bdf101dc68e5ae0760a5e8f1b57348a46cc3cd536104d846ef8ad4e09d2a776612768bcc143c5c1e5209ea757333cbb803936f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
244KB

MD5
6e77b0c90c3d737ba1eb1226ea77b88e

SHA1
9db4b341b8d3d8e931386411219542e6c83a6af2

SHA256
72dcdfe120211dd430357689255715ef417a99ae28c49d28a6ef4dce295ed9c6

SHA512
1241e52c8f8db17209c6748c9495498549be53c4da0f7d32da0fcbfe35608c285fbbfe07e505f50928a05c567ddc0b6989943c094db416dd6d470610262ba678

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
311KB

MD5
5303fe52723b17476f38cf7aa8a2a35c

SHA1
891c94e68400355a90a7861e27edd01566894c9e

SHA256
abe1a63eb981ba177593d05cab9a981f8bdc3fc84f694b147f3859ab16a8831d

SHA512
2309f2d6467a154246014a13aab1944db8340dd0dcf47d1506692aabf6d60579e9f71dcf8621900c526c6e1e7dda290607934cf6343e21a7dedce9b9950c1fbc

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
325KB

MD5
0e6736b919244eafd19304e3d8e8432e

SHA1
84cf9421c3c2a7f1dd51520ed8844936265c42cd

SHA256
0cbe1e94201cb66e57cbc8f547a733167d1f0078c01223a3afe5a853ed8afa22

SHA512
f531a378c215ce598962fc05079749edcad62e1fe35dc78bf76f9ac5863507e72f71d23337e3eb505a776acd0ae80a9b9ce82d80ebfcb56a91d87bfc3bd8d958

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
231KB

MD5
54027cb07ca8b3a0aeaf726d620d5325

SHA1
b3419a73e4717036a724afcbdc489eeac3e45946

SHA256
4715ee889edbc14cce2737df34ead94fb23fd7f12c438373bb021b4491900d76

SHA512
825877d7c36f0c90f0455f05ea98412b02ba3eca9d3a43cb89f4c0dde0a135c83c856a5b8a393776c8137c8f7a20ef48ad3f78a94f3ad4a86685efa215dbf515

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
228KB

MD5
02e5d1c6299046273e4eeef092def621

SHA1
cd48cd68791c542aab01069fa221c7a6fc189cbf

SHA256
e00a1be150cc59b73c6bce9fdcd29f04f0b686e91e2b139ebeba00daddfe3e88

SHA512
ff96f6b069aa4ba07f470910e65add216deaffdaf2bbb87931321f4f68d0a192a02706c68c291197df41ee630f5d9852b928e1246a43d49175c13020893a47a4

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
221KB

MD5
aa9d6494e3867dda34c1c5e9ab1f6e77

SHA1
6de627a4330e1e19adf043e97f622e523be4249e

SHA256
559c7c8cf61c42cd080123ebd896d0f764c0f79e78021b1ad8f15f486a2b89e5

SHA512
39b171aad0f60bc2f16b566e5e9228a46fc8a064e984962e267fe1f73e5aaaefc7f2739d56f90dfee65da1bca608cb00129edfe4eb3453c2e9524f07416d0aca

Download Submit
C:\ProgramData\PgwYEAkI\HKkcMEIs.exe

Filesize
198KB

MD5
3fb441f4841f4418a93ea73ad875f551

SHA1
475f74d85afdde05f28ac069ca8052b2303ea10a

SHA256
aeaf1502417807e85ae391b9713f5a282741055758f16b19ab9392b9105eecb8

SHA512
9b7bf81f0c2b05a8487b6988e6ee604c0b6ca0910053a0d4a848dd3124febf0059690a33c717b592b095064af56e57eaf65fa7bd6aa334fc392530bfaf1b6fa3

Download Submit
C:\ProgramData\PgwYEAkI\HKkcMEIs.exe

Filesize
198KB

MD5
3fb441f4841f4418a93ea73ad875f551

SHA1
475f74d85afdde05f28ac069ca8052b2303ea10a

SHA256
aeaf1502417807e85ae391b9713f5a282741055758f16b19ab9392b9105eecb8

SHA512
9b7bf81f0c2b05a8487b6988e6ee604c0b6ca0910053a0d4a848dd3124febf0059690a33c717b592b095064af56e57eaf65fa7bd6aa334fc392530bfaf1b6fa3

Download Submit
C:\ProgramData\PgwYEAkI\HKkcMEIs.inf

Filesize
4B

MD5
c37a2ceea1bf2ad6c19c5733f703e77c

SHA1
4fb9bfe18978d57aaa8b9e0a29e5ca1c9fd13476

SHA256
bf580c7163e152df78c9ec2baf8c8d4ac7fed535757abd138a3747548877fdab

SHA512
e44ca7d631943f23974cfcfd4d98afffe072783a846e62cf544896998830612831296a9973086f2b10d687b1b5864a190a61b992aa8fbc0493e7f528ca7780ee

Download Submit
C:\ProgramData\PgwYEAkI\HKkcMEIs.inf

Filesize
4B

MD5
3dff1b0302f052714d9a63a21ca071c0

SHA1
085a92e0def7974451c9f75b35c2fb8c79dcd56d

SHA256
785c842733b485250569fd3b9eb9cb538e5cb2bea6e1739a139937a8497dcf1f

SHA512
e075986b667595b60654509fc8b7687f33521eb7c34bb36ad3629bde9f36dcfcb8eb106131a634162a402148a516135436c1fa4ab05ff3b29d9fb18b2bd8591f

Download Submit
C:\ProgramData\PgwYEAkI\HKkcMEIs.inf

Filesize
4B

MD5
291112f957282307fbedba282dcfa26b

SHA1
133a777f9558315b379d2d7777fa860f9d04b2ee

SHA256
90be5ee6a4eb349a7cc2003a622e62bae3304c1a53bd00ccdea2af4d3430814d

SHA512
580aed9a89bfb2edb0b6852976919a194884447a1897aa4507576d812dadb1477846ca034689362e5f0a84df056664ad329d3a6ef6897e6c12dd710885c87017

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
187KB

MD5
1bf4496d59138190751ca190c76b1f16

SHA1
b2c6b150a47742976f915bd26aa724dbbc29cc5d

SHA256
28fe5f267eab0e11a0572cb813f44281f4328f0f1502268f93a73e46506cd838

SHA512
2808ed776435dec365332bfc6d7907f52ee9244e82dbbcc309bf803eaeec716fa46e5692a886cf1ab400615e6df57abe60934a7c20bd8abe23289f1d60a9ef84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
202KB

MD5
5b01df5bd4bc97381875153fe7d3fb47

SHA1
182d41ec768f96e6b89f4c95564fc7ac27bc3d40

SHA256
01e23159b52cc69a946efb114631837e40e7fb10f06db25f508c20f33511737d

SHA512
058ab328376e9c5f994a37c92fd5868e55ee44800f63c3126fb5caacbf7028d30fa129adfd505723457526295dcd1e330b9188f775e693882856febd8e2b48ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
203KB

MD5
b7cd7e4d001cc82bfa40a69e573bca81

SHA1
851f58d1a3360d90f504edabdccec0630c84f9e9

SHA256
61322b91ff7dc41ed2c6df4d4eced68d83cff25113fe603a0a72bf85889fc5ce

SHA512
bb238a7c4c21bf1ccaaf4e8025c3524d835d30d629be105048c4124b33bf3327fe39310cb0da7cf722cef691f39e9d394c359bd3675094c67e7122d2b2771d75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
203KB

MD5
284d3f488421cba37ca39a751cd13601

SHA1
53e37e3e29708c7679b4a625c3b70c877c12c759

SHA256
6a7e19e113597ad2602a6d641fcf8a0ae9f37023468a2fb115db696473512480

SHA512
91861525178308e3925c67c822706e3a1b81e66e96e8ad912c1619670f48401795090eab9afbd6673b26cf660d1c5dc1970496cf2c16e4ccebd6eb4bd8f9955d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
199KB

MD5
5009c08775dd2aa544f3f9462905bf40

SHA1
3e4230e1853b83e911bc9f89599c9908bf869912

SHA256
ee7448255612258068d26782a0ca8a6e17640ed195d40b04b481b365d7bec585

SHA512
fa5801bf5d61c84e9e9ce7700c7a7ad7a6acc401f92a9a34f6644eb3434a2eab02447b125d757a5149a15d485eb0f54660aa8c1e74b29d67e2f7dd388576fdda

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
191KB

MD5
360873d5c667d31519531e8ef9079c3d

SHA1
10668a2e103f4f7fc07cf0a5b774ce2e067ca580

SHA256
32044412ea1bd48e673617dacfaaa5d2bb3c13c97623c25c8c98e53644e0c702

SHA512
6bc9e83438c0d7b21eccf335f590cbb526f321627e15f8a64116261d200bcc9ab300a7cd57fdc32e6faa887b7bffd298f93775ecdc5620cfb9ee1603a68eb028

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fc1cb8040d8c_JC

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAEU.exe

Filesize
324KB

MD5
6542e10594b3e34d01b75709e7e775e9

SHA1
fc093906ccbbe54866f0b34493a8abe9d078da83

SHA256
b03335324d9e5a10d41cd5b0e83d51f4c6e113de7d2fd2672d78b78e8275ad60

SHA512
5e0feb623f9740d991cb15ad42673af90a862e396ad84e213962392e6c969e6a859a5c34a4fad6d808a4fdc380b6532e5b13a81954170df2658e8cd0981d73ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASogUUUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIsO.exe

Filesize
213KB

MD5
e824f71f2b1e445bd510ef13529443da

SHA1
cceffb7902987cc060aa096f951bcab687861d1b

SHA256
219b3ea0b341bee05b3cb8b9f2622fb4b21e9cf137bd25ae2d81f208b12e1551

SHA512
10a126e16356167dbdf0da55a6fd688e6a64b1b3efcd626532857e87725f7be936f42d3e3d65d5f441daa6b35d3c910b30d4e5722b8d122908cd051d453bf9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgMI.exe

Filesize
192KB

MD5
ecdd1eb8609241155e045acc3e76e814

SHA1
546a1bc2e324566395a358de463ee9d091584a7a

SHA256
86dd29b10ba0617d669780a9918f06c6b8b3b894e0b7d175831b23804cc7959a

SHA512
dad3433aeb0065a8b941c5ac4094a50286f87fa0e2553f402f3101fb71e36fd42e55a6a26b6c67d9a89e17f4f1e78eeb73e4704206bfb8c5ff221bb9c769b5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkQa.exe

Filesize
188KB

MD5
455091d1466b46cd185bef3a447e3a05

SHA1
e85e7f919a7004e5847ee19b1c6c646a09e987bf

SHA256
f18780504889219e1f6dc2b69e0268a137ebeb4d18e7844a4040ba4331b971f2

SHA512
91eb537454e79fe5fc15971666f7cf6e401209a510e49ee96e2db47a0aee08d9dc92babd246882f77aa2d5001e1dd4ddc6359d17e61d2b8da149bb7c96b0a79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsIG.exe

Filesize
202KB

MD5
eac8c89d28050bb69960b346bbe2c9a6

SHA1
e34977a903c092557a283ecb66d00314909f8981

SHA256
4a0004b4bc9832281e078bd47f3b8d225105271ce4a3bde0590edad4edb8d781

SHA512
12cc2bd99e7ce45a40645baf995ee173e4aac49d3873996ce9ea81dbb7ff23b55ee386a77172b68f07893a2a7613a577d935177b0555f823977df66217131ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsMO.exe

Filesize
837KB

MD5
baafb32966ceed0de0ae0e99543e9edc

SHA1
2841477eeaf7455c500e6e54475a8cb9e7893b1f

SHA256
6ef86d997812c5fa0f11fb3d3b167854b716924974f0787fc5f33db46203b20e

SHA512
64836e56b053a433efd5a03dc8fa105d7acec71a52068cbd4a01a32cde9af65d5267aadb12adefb1e15c7b2f3dd4c3b81e29f974b4397b2092a9d093f8bcb2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEAE.exe

Filesize
1.2MB

MD5
bb3a33b01f560188de6eefe90cde563b

SHA1
2c3249cbf4f939a44ce8c750baede8de0756a88a

SHA256
5c82e1daced31be5f1e397bae6b2d55ed5683ac07b888fdcab1a5c735e33a7ef

SHA512
61a190e184013cc6fd17db90e6db15686970301f775929ebfd9a0d20c67536f7904195c69c6e05352b614596a6949b6dbdd1f3beda0f188135dfd1f04cec118f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cook.exe

Filesize
227KB

MD5
97cde61c5272ba15e7c7b616f6a0deca

SHA1
f2f4a66f9cb7a44f8b43b86c9fb6533bb5e9f83d

SHA256
45c87053c66bf61b35f1fdf9d0c2a9bcc85108b35347bcaff037296ba2a1769d

SHA512
8a90021a2994ac0035b7367b25802270c62e8bbd18e3c8982c0810f16f6348b021bf6ae7dc618188d94f2988939e6fbd231ccdb89dc071a3d9c4c07ddd7b31b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgEU.exe

Filesize
643KB

MD5
7bbe6e49b435520d728a268a33a15762

SHA1
42b18dfaeb16d3470958420039f558b441fbf83b

SHA256
edc4fe359c6c2a316710befe0c4bb8a17dc4342aea74800f8911fff0c2f2025f

SHA512
d7b4c2cf918f3e4993ca365cd8436b80fd1a09e5dc81168d1d9a004b803441abb63f95a5e6d856c70eee29ed054c00ff5c47aca596e3a3752f5eb703a8a6cfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkAw.exe

Filesize
187KB

MD5
2ed3fe3d585c50f4f57745aac2555f26

SHA1
32361ca126308f895ad5e02fcbeaf9b5859f3cb6

SHA256
decb46996945887b91016b385a9aa1a63e55a38bd7a834275edfe4dd5306e389

SHA512
c78f58d8dedc7e2bf2ecd6ff1427abb5cc80b2c8d9b5b853f7f38d0d9e2bcfc537ac682672e1f384ded0bd3898893f0ca6b20cfed5be3939dc8d7a113973582d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dkgy.exe

Filesize
224KB

MD5
85b9b8cb485d8ac330b6be1f60b00b52

SHA1
cb2704bc256cc4a1224ad5d19c9a972a065a4a7d

SHA256
ccbfc88d8c9ee3f5f7fd449b9b084849de5c5e1844e2b015d94f39d1b3c968ab

SHA512
91d99ba1d54ec6e889915b61bfd64e3d69c5c5c0645abbb1ea46cbc1a213ed4daf8b78dc8d0b2e1e63721eaf59553b77fa96de4e0a9f028b19c2a78e21970fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgi.exe

Filesize
209KB

MD5
0c3d45fd40a70ffa2b954c5685d631f3

SHA1
5814e41e8e35aa6f9c264559239764549f53d5bc

SHA256
32788a501d987027143721ccc8877b90bbed78f7b99a5fca162a76d7d05b4152

SHA512
8968bff7cfa9860e43d429aa38162234aae3e8ca9be70111a3eab64083bf9c8ca3d07594a37df88f29a1118fcbc5650988072bea5272655b65da5f492c5f6a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUAO.exe

Filesize
192KB

MD5
30939c8cae2fa2e11ec90e9d47dc28ee

SHA1
b47528cafc4bc9c71bd8090a03a3877cfe7f415e

SHA256
f8714242ff29f695eaeeb63fbccffa0dbb2df931fb6a3127d9a2825b7c98bbe1

SHA512
bd2c79fbc3d9bf6765821c69343348c68aa7f88d14f5c23a09e8684adf697daa7dc84f474ccf9b142788505e76fc960a0d21100f53b500d7535560180509d8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUQm.exe

Filesize
559KB

MD5
5ef8216efd82ce6b48088b146c68a1ed

SHA1
e4a43c5afc0faab4254cbdff6dc29e59e8847d71

SHA256
cf282b6280de990ebe26d0dc0a433bb8e4f63d90a357f367319b661d0f0bbb09

SHA512
7e705005bb215b99cfc934ee30af9cf99cddb74c60ea8ad26dce8bc417216628662a021ec89c5666602a71695bbf94fd5d4eb3b75d39dc188e694e5aa355946c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMIW.exe

Filesize
814KB

MD5
28cb79379c5cfaa38b7a83f823a912be

SHA1
4de64c07abbfb77bd99e63d898d2d86c59a571c0

SHA256
9014aaea23bad74604806f39a1f6c6cd2e6641dc83c08589edb7e4a242f1f97f

SHA512
8ea4a5bfa619b2fe9881a5ff2d46c8853fd8261c9a6021ec2e80b8db5474b2049116e73146c77d5dfc6361f934910a923d8da018e0af4651f5d4e59212746504

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYMO.exe

Filesize
236KB

MD5
ab7c6cd61f439dd6cab1ee7e814deafa

SHA1
9d9d6870313c64219945dbb36df83fdc7d4f6aec

SHA256
96cafb4c1ac8ea1d8cd756294806d5775e91ddcdfcad719de36acb0276902fac

SHA512
faf1e43e1b836b1a05565d0116f2e0fcf974cd45d875b0a1a98f452e661e46ba91aa9dd2200b2c49ba61a92f1ad59d5946a505eb111ea6715310b45dc4c1cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkoM.exe

Filesize
213KB

MD5
3d6beb83b6e362e9c5297e146c7a8a56

SHA1
96a0e42dfb34e868666f7e533188c260fc7896e3

SHA256
8fd179db4437c275236c5d8444b45ac6bb6500e0f28b962faa38d6aed6d0fe3d

SHA512
cf8a8adf1f68b5234b227e1c77c4c68b03cbeb14e9d3eac389d4cf260457da59d49367c3b32b26691f306170b5b6c2be85d6451fc98b0d6341b790e5129357af

Download Submit
C:\Users\Admin\AppData\Local\Temp\FsEY.exe

Filesize
236KB

MD5
b7949ba317a74235ce11167a06cd5f18

SHA1
913662f09799d139f97e6a3f23345bb016eec1e6

SHA256
65ad9aea8ebfaf305a23452adf57b6756022d23d984c892d67604332c4c41872

SHA512
ff385be6dc78203136b4aa3203be20d031fae326c5939279c0600ecd1c28473b5620386334840d851237ce3b99bbd76d4f3fb35ea130b5f0898a680a2a83f1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQgq.exe

Filesize
646KB

MD5
27ae66736b9942db1a7c08052577e9c0

SHA1
ca95433b21b9b34017c4dc5f6519e665f93bfe6f

SHA256
8612f70efd08e7516fbce01ecc6be04c60110c4b234067747f18a1346e997127

SHA512
23039916e94b5c55b1083f3371915a7a8c3e6f8e272b6346f701a54b9ae154483653e8ecb0897765fa1b9045e32f39d38a51e805fb3a3450ffee8c2880bb9948

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoEw.exe

Filesize
196KB

MD5
3a525c222f32b37821650414abd9c00f

SHA1
c845a322fe1205bf30c6eb8232263e4ff298cf53

SHA256
64a308a25c2e7315ea3bd5ee0e5228d3212c9b6e8f795e5a23282c0dca3034b4

SHA512
16e90c3c88fc8f5f417cea24488c13cdc07b56105616b84ed9e633bb95dce7f3baaa50cbccb1b6f703519d9bde6e651af570ace436a6726e4513ac173ea4d5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEQI.exe

Filesize
1018KB

MD5
2b20cd5321bff8a8ae0a1f546ff1936e

SHA1
3ba722d53129a9c269104e4ac61500a885558670

SHA256
136fdc0bb914e7f6cfb46108fbf2aefd15350c761e90c4adc434deb5d501a1bb

SHA512
97cdf081b8a85d26dd5b450d1c7e181c64d2b0dafda5b7f8b74f605399714e290a7984d728a2004e3ade8d6bb1b3efbd53f557c149ff1ecab4f3e00aa773393d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgIYIkUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hski.exe

Filesize
185KB

MD5
dcf46446d97e55f4da10ecb70bdcaa7c

SHA1
7719a59e21447067ff1a3360af4f281e40024ab2

SHA256
6472f70e54f6ff560c9f80da70e99c93302d7523ff4608f1be9fb327a3873d60

SHA512
189e722f024470ae1e2cbe7c06ed3f651557d09660f16f3feb5c001f10e0b748daac69d1d18512a9cb57a20879bf9b1918f34b93d73baffaf3706cb95e8f7861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIq.exe

Filesize
1.8MB

MD5
ff338ae621cd1056ae888c5862c3a502

SHA1
996f88b37cb77968f33ee00d66b4efc2f5214aab

SHA256
171456450fa587cceb0eadae79b3240ee6c7fd3952a10c629961041e5a7a8ce1

SHA512
9114961ab5418287ccc643a506561b94a436e1df767c20d70116f35b99a79ea8d21c0cf6782fbba3e080ee88e931d13a9c41149fa869fe4fdf9b19bd00f48cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwMU.exe

Filesize
718KB

MD5
c7db37e38bcf8bbec2965598b608e1d3

SHA1
0f226fc19d31f44b6785451b150f85d7854ce9dc

SHA256
dba4cdcb9098689f5219048cbc30dd1cf979d17327e3680ede0d7e9d1e510307

SHA512
dca7190eb96e941a99cc06041be28075b7f7673785e69a1e7bdba8e2ad7bee7e38cf522c0b39ee932950d4a1e1fef223866d10d661ae684dc5e0fc9ece84db9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwUK.exe

Filesize
195KB

MD5
3f13f92eeb72488963a71020c40af247

SHA1
c7121b493a18e17fc47322c277527cf0a9bf503a

SHA256
a3c77fbf1913378a686d5c077464e4c8fc81f0459631fb31b383a9102f0542b9

SHA512
b58336fd1054189bd18928c8c338fac4591e3e707f8c4664245fb6665cc9fd9749c1044516402a425d405794c8ed00b106f0bdec48fc582bc455ea500011bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAK.exe

Filesize
518KB

MD5
12794cc67063ea8b37cb7dda704f86dc

SHA1
41dff46d46685520c6d3cae68c54d6f886bf7475

SHA256
130f3c0ee5ae3e300f449471d5eee3c9e50a77cb250f6003bd400c6d9b03fa7a

SHA512
a2df38114d7cb3c61ba9bff540c6941d1fedd4364ac33e3ca807e0dd173d8f4a3b006d7dca0a9f22d96a6b0f9d6d674cf79d252cb652c9c19e39eb414b4a2b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkwu.exe

Filesize
751KB

MD5
8bd9bb53e349a4f178143e7e6387d8f9

SHA1
29408005b9ae99138c983a39ccb89fcd8ae2850a

SHA256
06fe0e9d87a9d37d5729da5182f1a4f19005d15d7d503d600be20b18ee6a3ac3

SHA512
af45e8ce7ea461c543a945ee3fcecbf0ffbf2542d5958c8626146914aeeb0e52136c98e581c9f3a1a8435f0efb814b9cbe7edb720a53c55d1ef38a5e921a4f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYcu.exe

Filesize
184KB

MD5
006c232ce099800ba8058cd42b302adc

SHA1
420c6f9cca6f5c473a1fa36efcad9cf0c4aab465

SHA256
e3783d0b9cad0f5a6aa1da899a178190af102eac0372eb0440591b4a3963c054

SHA512
1690fb7ded75abcf6cb914184705ba7c27b22529dba984f09ea7733e79ae45f31b65c9f8fa7c228c4e4b3b8334ffc2b72054ee65ad519aa301cc2a31620c89c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgcU.exe

Filesize
230KB

MD5
24da8e30cd112bae8d12b33412b5e931

SHA1
030c1a2b5326ec22a7115aec1e172746617890a3

SHA256
e362ec7ead8e8a989ad169f6d72ba394a102fd63d7a4f4ae5b0ac2abd7cb8ecb

SHA512
9b65397ab06ccc9026672a39f7c063bc0f861b52ed29198ec9d95c1c2c35ddbb906d2e5e8993f2e11623db3e899900c4c671f046260cdca264a7c7345d159612

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgwK.exe

Filesize
208KB

MD5
38509b85a76a411567cec967bb794b71

SHA1
840969843f12425f65086b0402e47686882f8b47

SHA256
0c6062b29c383ccf4e183c808eeada65def45eb4e9c27d080f114ea046d4afe4

SHA512
26b410ec37b2def8f754bb289e6ca68f4f273e8eefe299ccef692329b60f2a86ddf678c30ee3fd5dcc9b651e5d361c6e0b930ed90087991f9ef6df508689535c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCkwcwsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMkE.exe

Filesize
5.9MB

MD5
4d2507b3a1c114bc014de4dec2b64da2

SHA1
ec6fb84acda711d83a1a1725452b60fb62ad68a1

SHA256
d302577343a20ac973d166a47f1db7f334d55cd23a0f06d983645eb3f6264648

SHA512
5df38912c0395cb5094c3c8dff634415f9776889df66999aea09e114b1b2e4ea011a28703f9aa9a932641c60ea6a26f91ccf70b55d1c141368ad62ce82d746ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMogIEUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQsa.exe

Filesize
238KB

MD5
9429219912a8696c9d3884a9c4c73be1

SHA1
a61562582174ba2ef481ff734d662a1d6a3776a6

SHA256
eae0151540ec87bc6cc0bcd969e725f4787e7434ea9e333e0edd3ba12a9949dd

SHA512
c6e71360ca6ad3a877395819291be75fd9e2b728083b28f313e043232782219b65534923eae98ba2a3daf7bdfeea44b457bc248c7be0ae8c3a72f11475bbb197

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgUQ.exe

Filesize
500KB

MD5
b88ad2480c39de5aa57c3ac6f6b08307

SHA1
3467d5f9105c631cbe921a681cfa49d0a6c64d43

SHA256
fe41c0ebb295e08bd57e5287f8505289e407658d349f2415131f1cbc007a7505

SHA512
27da6778473eb030562243e237e4097de2b18f58ccd93ac03b86e95892c0d3fb35f0c53d3b469631236387c31aab30a3e84c8f307ba7b137e96346256eb9e967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgws.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkcO.exe

Filesize
196KB

MD5
eea815249c6070cdaaf822a9ffe87b2c

SHA1
5797f8026134b76357938798ddd89bac7031b18d

SHA256
551704457816501514e1637b9d4eb7d5847d248c766fdc38246bd039bb333bd7

SHA512
b89c901cd526ecb15facee46f30142fe116a01c115ed67eb88d199d44b4b504da2e8257f57096f57e05e816b27dfc33cbbaa425e2bc8347908387cac8303a187

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEy.exe

Filesize
221KB

MD5
f2ab9b95b77e07aadf563624ea8ecb37

SHA1
bee5ad9569e0f6a8753a4ac26378c954aa657f50

SHA256
d5f2efc0864e52c299f7ed58da13d5f6ad87cc3cf1c2b44c161eadec7a377541

SHA512
e294c72cb92d1057bb5e7c285d50f14f3e9da5784a16467cf35287fa886cef26dfd114cd12fe75ae09615f3e3bdc6d1f99c70634455807559014d691651847ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAoA.exe

Filesize
195KB

MD5
e5fff4d9592227861be0a302a7d59d9b

SHA1
b934d4caa7607cf558e1385b4ab4b2d8c0a2ec34

SHA256
6754da903bd9de81e6c19bfd0b0661f33b1a1473c78aa074b4244f23b7f5d5fb

SHA512
53a17ae0de42d657cedb4091ed207e3b45d52ea5e27eb32462a30cbe7f96950ac9b15d7618baba6ab8d94dc849227e1c28c6e32fd5e2ca90be91e7f5a5cb727b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEce.exe

Filesize
200KB

MD5
82b01a0ad7e5ae98150d1ae176840bb4

SHA1
482296d2dd38f1a15a9e83d55e8c7ead32168b66

SHA256
9a49e99f95a50dec59466a453ff4e031087eda1802eb950aa7cf2898060f79a8

SHA512
572ea0091c958727a630e663cc260b2553bad65a7321bc7be66efd5625a29ea1b20709d44eaf1a28c8fc5e9e0533a4ca849dbd8a27db0ccdc2ac24f3c4136c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ooos.exe

Filesize
1.0MB

MD5
f8c927761ec01b8e268bfb2878e38fc2

SHA1
638ea26597ad31c8ea72f3bc0b89e48b9497417c

SHA256
87a5b07e95676e232bde2cdf7a336bb79d00c19ba899fafe2b442d31a2534380

SHA512
60e7f5450ab8d2e977b82e678a9cc293f6b331ec820ee33c75a36e6e6f0af54fed21b698b3ad93677f37c45d9862ba394131717201236d759af6c29d70b65a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwcU.exe

Filesize
203KB

MD5
2448d3f9c4013cc5f10afdc3009544e0

SHA1
df4f685011819c907eceb22221c66b2eeb682dad

SHA256
2c89785e2a94d3fbc599eb32dffd308001caca4fb11472406580623b7295a5c9

SHA512
126c44146b8c29c0d35502ef833deb7b360a132d79aac66d31fecf81518dc0c45de38895171496966c48a39047afa982ba630ed71d53a57ac86ef76e76826624

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgQW.exe

Filesize
200KB

MD5
0411a337bc5e2ef1322c8fbc1e834771

SHA1
078ce35ffa57f3e2e34f6228448797ebd40ddab7

SHA256
b861d457787699338c1d4bf929761d56079dbd625e13cae7efd87594b3e24f24

SHA512
456370a402fe9d4dfa5449626ccef277680c6e83185eb52843ecae54e1a36c7f146e06f1f5e844f20612de4bd059560bdb952b54da5fafdd99a8f8748b41b424

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCQkcQos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIi.exe

Filesize
189KB

MD5
b5850d195ce958c467be81fd0fd7cd57

SHA1
6de35ce3bd8e903c6b482a8a47e3441735c488e7

SHA256
4ceb43ba3c4e1037626eb5a12528b9716be432ecd0c80ec5773c0916290f1ad3

SHA512
235e25cb737e65fe8bc1c912dcddbc31715a80437b4093abf6bcd02486eaf3208c1bbefba42b99c8636cf390f54f48668695b3b9a6f606c79de678a5b138d622

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwwO.exe

Filesize
201KB

MD5
6069ea4599ab85c1ad3dc1213ef38ada

SHA1
fb61579e29f92148946540dac25ac69ceaf82ffe

SHA256
30f309a31ef67f9fd2d4d555520f97ac46fa31c16f5f0db827a0931c0623a41a

SHA512
091a4a6f7f83b7909240d901c769e2e5fe1a1d6cebee1b1cf9b504975c3ae02622249534aa64a9dc6ebca66646031f2ced5127564d7fc683cc5df042275e5e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAwq.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\REIi.exe

Filesize
398KB

MD5
df530c0f981caf9f5b8471ab2b201fc2

SHA1
5a02d3e3c83668f282a11a491ea23d437101ec1e

SHA256
399262ab1ab35dd92d143214bed0b051cc0eb6cf7a81f95d45a59ede73cd3461

SHA512
a1235f242f86547a7eb565da5d08be8941d08f986c79a08b25eeb331cf1a53aaf461ab846447a8b22562c86ceea100048e612bb71a59e438c4b1fbbf207ad3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUYm.exe

Filesize
392KB

MD5
4091519f824149a2632b82bb7739cf4c

SHA1
0dc61fe4857f99f2cdbe29bfed999228644a5c63

SHA256
7e826dff62b70c71ce12c44a7a771f37fdcf4c7a7127f60068709ab3cd2e95ec

SHA512
f9dff9aba0f11bc8856000cd1a2953c886e44e6d9a06480224a2217a6c44217638e1bf88042291de2284311a8c5997eac37eeb50988be3ffd5890e3493be347d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwYG.exe

Filesize
320KB

MD5
20e1021948da75dfd0ff453044605f01

SHA1
acdc029041f6156d34b98fc23e42772ce24cd3aa

SHA256
04917ceedc6b1202921e7d9ccc9fe05668e862dc8bb71a7621d6b5e235f7e53f

SHA512
65b03f320188b3f18256d02eab6cb6190e88780550d63a7074ee6748d1026b645cf11872f7835b87686cf81402b2d2efaf2c913b5c7ce4f467ad1295c812563b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMUO.exe

Filesize
836KB

MD5
aef5040513a11e73d6e2ac91b576aafa

SHA1
c183718337a8016e3d65900b60e9aef5489db4b9

SHA256
813c1f0c22f692ccaa43d5d2499d13198f3e3c2b9a28002018fac5ce7af0b157

SHA512
a83eb7fb6486e0548b59a40f836cb95c4f1c7bf62d2e84208f51ec2e5e996ea0f087180a21f08f2704781922e83775dafc273f0af7deb2d0d9a1cc3a9a4032f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUMo.exe

Filesize
197KB

MD5
3bbe18180f21f8af242fa5d9f056893e

SHA1
85a2b6f2e98b26d66d07c8967b5e3c4f3472ecdc

SHA256
15220dda1d930ba0ad0c83081a0b41a3b64aa567f37cb76ab8f5c6e2b4a62dfb

SHA512
e741e3befa2abea60d04dbe62201a46e2ce74867fce21ad30fab6d0c3f5701cc5736bcd8b6a1c6626eb88ad38382e18f4c8d1c87c66b9bf29c12ad2a1e5f952e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twse.exe

Filesize
1.3MB

MD5
2baa11cb4a9fdf5ea2b7503edc8d4e5e

SHA1
a17ee3958a4bd97902803f7cb5aba5ba3cd792dd

SHA256
7c440151a60dc4dee44ecce48a86cafd066e348a64b627fa1bac46980140c554

SHA512
915b429d3b91046ee8abbeedbdd08a90818a7f0d05e712aa6db324bae5909844fff8c01ab2e46f732e8d2280f608ad11f035fa7ae876ab76ee025794c29c93f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIEi.exe

Filesize
227KB

MD5
07e46d6a4f8e3e4b2f4841ada843550d

SHA1
07151dea5bea924b4ce4d8388ba420f519334f1f

SHA256
406beff79610548a087b9ba565b58aa49c252e9fca2bd84ae065a52abc972ba6

SHA512
e279fc2d9583002922f134fc5169c71b5195657503ec938fba53b5f1b2c5c0f37b8bdce68427a2cb656716512385b394fc466ecadaa749eb8dc06363ed4f4833

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMYQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugkq.exe

Filesize
781KB

MD5
1d27512b091510487a50b34bb19d2520

SHA1
0a87c2007bb94027671796cd8a9067a18067c1e0

SHA256
c9f6d250f454178039cea47c0d4b4807740d40b54f679c4b27e24c26613e139e

SHA512
4809bfab1bc39fc7304f0467247a9010047121242f580d424efc72cdf0718dcec08cdab5a60f12457833c482f75c48a710f45c3d4a635981bcf384493eb50afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQQq.exe

Filesize
187KB

MD5
68cfd7030725fe1a2360b4fbd032aebe

SHA1
7d6d5837589e73f945c2633b723dacd9a3a6d630

SHA256
21486289bf7199c33d331c06e27f8e14a487e1e980898a7fb502e6b5e607dc18

SHA512
b4531a76fe8e867c564ab7ee1c6929b320444de1a819d5661362d59f4e4b8ca33054c4a140bf668c78a4a616aa1a96f9d1c61bab62cb731400c2b25b5b13b3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkIq.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsgy.ico

Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwoi.exe

Filesize
184KB

MD5
f94611bdc5dbe83b7fc1c65268d3b2c3

SHA1
940d750a551c8c25505c1e08ba721a91e3300523

SHA256
0c8ed8bba314ea89eabd15939a0c58e1419fc8c0d1b503d673882597d42d0d7b

SHA512
54a248e21b52d6ae2035cd65a2298a08a31bc4f35d60c5b755d512f6e7a8d9ba3cf9ce3ee93179ca2d3cf63a7a12794df7afffb026354a4fe9aa267abc7f6036

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAQA.exe

Filesize
197KB

MD5
63cd8f3cbba783f0d25229666d5bba22

SHA1
b7998d24c5f6925e18d9833d93e2ef470bc559b4

SHA256
b5c908bdb6bd0119ed7ec52c4720bc9fc2572ed7c84ec8ee1e1d4f0006fe4b3f

SHA512
01cb63684920669863032746b562a7034d41f0ee8128ee4670cbde56acb000a37b399ff180d81209f81ab5efad5c02bd2355ef1b951c1d7436aaf424556d0f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIsg.exe

Filesize
316KB

MD5
9b8b71ccbb0310e5676c59c2a25803ff

SHA1
df845f3261847285636c71b8afb2ae24b8584296

SHA256
f67c5093579fbbf0f5b8271e9a907223a52172a804eda3dcf2a0de4ef43b2e86

SHA512
8b0946140b44475deb9a76d9a3024d36d0f0fc39f8d83abd3257b9ff0f4b2ee5c15f0bdb7e2cd9c4ac173671333b35b26c3448d2fbd37bf59d6a147bbf2936e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQAy.exe

Filesize
315KB

MD5
486f0791989d35598e33f154c9e0c8ee

SHA1
e4977ff12af7ab1f6cbd3a11f25c34b734a0a23b

SHA256
b0f447fff192f2d22b22072fdeaa92ffd1f17ace8a401d0e105ac6aa08dde654

SHA512
bfbe766dbe0eb0b189deb8676ab9c1195787067694a8d51b6d7165d6b9c165a758258d70b5b6c71a500a36e81f6cd457fbd143b877ef0fef5dc7a998e9396dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsME.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOIkMUgs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUYa.exe

Filesize
234KB

MD5
d970d607b9689b5a83aeeea80652fe07

SHA1
919e9ad5ac4c989efd65af4d7eddcac539f27526

SHA256
572f8dd771b7cb3d7cba37df1324028eed7b3e1b47ead32d35ba8879b818f7d6

SHA512
6c3f1e24c5cf4bca4dd201f662e20012be0dc667e0aea92f059c7196ee044d416a0836dcb09c12315d0f38c22995e9eedd227c0e02fc9080345675181885eed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwAW.exe

Filesize
190KB

MD5
ad4c3220abe2db2a65e906c97121074b

SHA1
966b73fa91511373b0287a1f7647c9a2552a58bb

SHA256
82a48fef41aaaba66db9de406f47c8c3fef6da6198aca02d2b4aa980b26ddcaa

SHA512
3bff5b4db129eca69fa4adbf25328f3d4f29dedb21cf066d9f8fa6a79adb11f86793ddeb541d61b7ad63d0386f16b9b302d94faa8ffde388419b008250c686a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyUksUAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\akEK.exe

Filesize
651KB

MD5
2417064c8f3ec15991072d64007b38a4

SHA1
0f7d504ee761ff37745b12740d4fe32ee54475b1

SHA256
dde141a15bcc5fa8825429d5546665721bf812eb347bdbdd0e062b8d761bb723

SHA512
c3c1cc136593738d33664cd4b559d4d134cbba55603e4e52e3de6f181aff5f081935dd6bdb8ab941fda58bdcbc851bd866ed9d0c6a9cf3973498ee214fdf228e

Download Submit
C:\Users\Admin\AppData\Local\Temp\asIC.exe

Filesize
192KB

MD5
74d82a6effcb28cf669e707c7cd8fc07

SHA1
1b69c388b247e62dbb3af25a5ced071a381d7ddd

SHA256
7d1a6e1b132a4a1cc87298df0e33f7308ff68b6bde2de61d74d6f57a0fb46d5e

SHA512
1d8941a9110478b3c58e1f0b8e88bc448530c7d6a5bcd68ac0c79f18ef7c63bb92da4fd91058acdfdcc055b0e262208777a9c78d54b880199dc7d3ec4aa596b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkMM.exe

Filesize
203KB

MD5
3375a5ce3caced3bbe5e2488921f4766

SHA1
c4c0dd887406f30a6cde462f82d7a1ecbdd27a84

SHA256
70e86de44f622a20fcebbd32bcd3a1e2e813a910e2562862dd70f6d41a91965d

SHA512
3d2c1f2b4b7f6c4e1792ac89fa0e7d663908786944cc0acf9c33dc86a476f78656f5d618f32063e15cd8bdb0a078d4b7d329cb66a48da1e4349ce7d250378eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEMO.exe

Filesize
185KB

MD5
3947de47e53da3dc09450cc0cf58accd

SHA1
27a0a8f9dab37e44250688c92d602f59970d6783

SHA256
6ce0b8dd21744ce30a33108dde232e9dadd9ff8cbc98c9298af79310ad3c213d

SHA512
8b9a160d919480f24a2b3a9b8670a08ac7a6d08abff56300d5493d4d3fbd31ba12a239bd1c898acd39e28010779755c2349e14ef559d0a0c0e1eba07435647bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMAU.exe

Filesize
401KB

MD5
cbc7c801076b2c5ead75be07a5c1cd67

SHA1
53ac95d11a732aa9bc367fd1c8cdf16df39a2f02

SHA256
dff27c3decfbc8885eeba634665935b0c8a83edb70833f892044059d90ecc31b

SHA512
114d979a20357ed574085dadd85095d55b8b6de0b5ec3123937e30f84f7a77806db39e23f4ac55cd8b923aece27771b8d839e67ef93ed63c2a2a9a8ba57f8dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQgw.exe

Filesize
217KB

MD5
1da9771c825c99e2743c1fe9cee67c14

SHA1
93b5edab36c7d3aa5d277080d0db109fa89d0a7b

SHA256
260347018ee699ab6724750e834363a823bc9a089691027c4e72291722c7d228

SHA512
941ef245ea72014556fa5325ba44251f616fbe59a606df2b86f565594f19bccf6442de0583c59d875be8eb89d4168fc4fe93efa0f73f604afaa91f4d96ee74db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckEs.exe

Filesize
316KB

MD5
8f1bffc43e4866e4a180fad672321faf

SHA1
1fc6ae8b3c34a6dec442020ad9253c51841a2499

SHA256
912588f6bc8d17aabe0c1dc66500e1bfdfc66222c909b8ca17e4ce03e0706cb6

SHA512
2208e8c32704df86329b6841f29f11967683bdd6366d99cb1a842654bc29f343bd0bd69d335d4f9e4c3c253c09488cadc0dd0e740e0ded99f5dfc34711ea2a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwwQ.exe

Filesize
210KB

MD5
6fe93fc89a9fced3b4dfd8b2365c9fba

SHA1
7e62a6e8f733bec3106e90f7c53ca1074f55f5dc

SHA256
0f71b2c032c6cff5315838e40cbd969560826650f8ef3a4ffef656726d1bdd94

SHA512
07ad2487c67989c6429040ad431792462f68e611ef3ff98322a757d0aad07d4990a6b0e31d26287664d341486efe4bdd60b0d9a455517738c0f0856927bc34c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUUg.exe

Filesize
644KB

MD5
6b2c2e2eab084ccc0a6862f1f5c99962

SHA1
a2c942cb491e14369c631c01e886672fe2a3e013

SHA256
7272a2bacde7c5c85c2afcd726af04366b9bc1dfe4de550ba450e9b558238327

SHA512
8a535590bf74849491ba00383770da11f8188af4e7665b61cf668ad5024b79d0d47db6cc9345ca317a60dd8e36e20550f3dd3ced4f40ae702e8f0beb4504d759

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoYk.exe

Filesize
220KB

MD5
aaaf9cd93273c9c90a2030aca2e7032f

SHA1
8a83c7ab1a40ed50298cd0a95dc0f1d009d93eff

SHA256
19449e5a03cac638c2e071aa8a17cef7b4d9dc1482e676fb66845ab23fb46565

SHA512
62c8d0464294e42e593564c0cfb9632f7c984a8bf237fa796b0d58b9a9ebc5e4c616ef0732d0f682f95717a9281e63ef33038f795e3adfb41525bc9bb78dd4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgQy.exe

Filesize
194KB

MD5
5832e118b53bba3013ba5ab0109ce6fa

SHA1
81cd931918ae634b53583021772e68fb75d6c58e

SHA256
34af0682ebc8fef517b6dfa5fa3d37ea06b9e767bf6915e5254b8ea11f0a2569

SHA512
3b71001facb6bfb2de2a342fbddb825fa9c3e6420b9cbd35ba1c3b19a1f54d16e7336ab2221e7e15ed414ed915d0646898f3e30538fa5f5817cf6398236e1161

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAA.exe

Filesize
182KB

MD5
6f1b0adedee14178750b8b6578732a1f

SHA1
b0999ba54f6250f645297284b2712cefb0ee51f8

SHA256
8f95135a0d72f521211e93a3fc9cc871d85439c3237203bc6e68dcecf2844e3b

SHA512
938065777235245ca9f6ac91750efe523974bf4199f03a48595e081f4a8b0515ccb65ab8978a6301df48c79550fad1bfc9aeb3da98e98e1a6eaf6fe8e31a179d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hEsq.exe

Filesize
1.1MB

MD5
3aa820722ac8bbc7d688f9ef6d4bab0b

SHA1
b1eef7c02ac0c5d2748ab06bb21d4e9736225b18

SHA256
bb55aeb87ead5effed233c2d82be616b0da7482b2550f64932c89e56dc6f7b2b

SHA512
9f6e7bff4bbb27380e70be421f39399f477d80cac4744a3667d886b372c6163630e3f6aafc8080ce2e79096a572296a35fb685a1070266de1890082b206d7934

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIoE.exe

Filesize
187KB

MD5
cd4bbb7edd4b546bae86238f8a1360e5

SHA1
a4e625b75c7db78df00e7e907b8e7558aea38328

SHA256
dc3f45c8c22366433efd75cec5dae62c989331c9bb17a4bc590efd98f1dadc87

SHA512
6fb57923babcd67dd8ae03e5c7fbd258fa52a2e5f144a7df5b07f9fd69fd24437db084c5b274e743beaea81bf2f2bc5cc97443820d45f2bf2411191bd3bbeb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUow.exe

Filesize
818KB

MD5
9239318b45b988ec3665acf8914fc9b8

SHA1
38f68a20d94cb5639068e62311efafd8cc612b6f

SHA256
1a8f6e6739e23c3b862ec32578bae42da7aac891c94249084a53792f946d3d8a

SHA512
31e25c0f47614c573a8ec929d399574187da60b1c74f1e14038b1a06f0a3bf68462af9a10a8956d01d4ff87aec20e79292224bc99f0772824b5bf8dc65082188

Download Submit
C:\Users\Admin\AppData\Local\Temp\hksu.exe

Filesize
652KB

MD5
b1e06181e02529c30a9f3147864f971c

SHA1
6aa49e76a997138209acabc8d7aaf444ae4bd31a

SHA256
ce72734cbec9b69aa529b65fe5c384daff72e4fb85b6fa14a640898af97a6a7a

SHA512
832c53860f5d4b954c010b96c7e72597e40ce7f7396d96d78c2fd52ad2cb83833405df672d5ad9647ed469ed0497cd81a3841495132b6677a5ded39949df01e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAQA.exe

Filesize
200KB

MD5
4a3faa519618bf5213252c07a420cc1b

SHA1
a505ea9684204a1fcc070b3b8cb6e1d86df4f7e4

SHA256
fb599b712484c3473954d9c2726bac40936af46cc2cb3816267b9fc86a2d6a9c

SHA512
f0ba841fe3a8bd6b53e1a2bb963472a71fc880fa68169274c4cc7369fe0d107481bfcacaa35c55be144f85974fe990d6e6d105f3fc5e8c92ccd800ab624fef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAoS.exe

Filesize
196KB

MD5
a08dbc883c1fddb3fb9d630ecd134a11

SHA1
798639e9f63eea0704fa93455969c2de27ee456b

SHA256
e11271b6da37b855fc74f8d342ff3d43b2d1cb2c0e28df814ac8988513183282

SHA512
9c8e6f046e16f4d8b49180b4c1a8fd728a03b1797cad81c5de4cafc5963e2d92fe88ae342fe2b9dec2eef748d4e0ae707bea7ac20d4f58988e4d5f2c51ae9331

Download Submit
C:\Users\Admin\AppData\Local\Temp\iCAsQAQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iscQ.exe

Filesize
194KB

MD5
2d50e8bcc085da8d116e11ef036c5ff2

SHA1
02b89f292ac36a020b0d9ac54ef228427c07a69c

SHA256
44cc95e9da005cfef78e0b6468c169e9c0970fa6611df5f65c6a6b47de020004

SHA512
582122d474613069540de764e8d2ab2064929357911bfd82f845067d8cb0756b51c450120d5973c4743d2d2cb54b2b3bee9dc260b67b1e07842c064cc2187859

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMoI.exe

Filesize
779KB

MD5
b8086f2e84fe9c7d488aaa2909c9621c

SHA1
454a7024cb49546836b7195e99e6a98904c30238

SHA256
182db08ef3d889bf264c732a2f6389b83044dff2ccce01c818bd10f7fd441a1f

SHA512
bd0af26200bab9415459316e018bd083440e1dd90422ecf0aaa858596914ed616b9ebbd1971d3beba0a475c8e0dd3b8c5d4ff40603d1e7c2f405b353598efba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYsQ.exe

Filesize
689KB

MD5
31e65e3f67d94cf4d2dc6c5eb9761f92

SHA1
85d48421f288d20c7e46aaf147fedc3a9b6ef559

SHA256
d66cbae1f8ecab49f51619ddb1b203f01e85d50be5e73c55e80dad22087804ae

SHA512
c69e6eaa9000c7825155a53bc80e4c17840d2c49b360f8f55d863adaa5d9b7e3017b79c57d675155e4612f204340340cfa64c2403e57eb295537be677c90abbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcsM.exe

Filesize
211KB

MD5
bce9cf31234274c0b312ca468428dcde

SHA1
a8f3286d1dbb91c45a1a30dae6e3871ebb14c885

SHA256
4e8566d7e4f983a85e9815f3a1258b0e0cacb9d6dadf4fb3a711914e27b57bbe

SHA512
8ca20868838750307f0fbac8f9ca03e05b7f2801907fdde58cd73efaf7d2a137b038b1bae33787c4f529a1b9e7bb708a90948dbbf5749770a523d5e8f6174441

Download Submit
C:\Users\Admin\AppData\Local\Temp\joUA.exe

Filesize
317KB

MD5
88ccf15b552a18e1f4ed666ff33d3f0a

SHA1
283ad93931c2c93d2638e91166797671d38cf588

SHA256
0d11199d6426e11ab08195e0604b94946e0927ff341b3d7ac5a4c9048f9e47ac

SHA512
86fda59b6ec347411bac51ddaa583b4b9eef896743c51b18305d41e4bf78ebbe7edfdf145526eaa70451066a02405e71259eba4a3a85b98bb3ea51348781a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEkI.exe

Filesize
248KB

MD5
74429c480b3fb8272a6914c8db093b5e

SHA1
56365c5c375a685e79cf7c82168e462aa40164e0

SHA256
e68b0472d8f013a9030cb4a0ad1d6a7b2dbcfbe152b2633100582420955629ea

SHA512
f4699b96512f11e8770759db95a455895371f58f1ea50efc730a055ca09515ff667b92550571a7eb643c399126c88bccea52a2b72e86a0596068aa526ac4e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIYQ.exe

Filesize
189KB

MD5
731f2b9589e64cd0cf6888438c97623f

SHA1
8a14c36b05058dff597598bb62bac5f184f60e5e

SHA256
3295f64680de33dd632e96b85cd830c9416d24dc2195c447553f37139e1c286f

SHA512
5625b60645674d9b4c0478ac2b9dedfdcb17f760622f040e316b7731ef2d5d7006bcf25a263c6cb7221a9f462149c5934cac7b3d46d107a3422bc3f60897f258

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMEQ.exe

Filesize
5.9MB

MD5
fa9c4cf958c9b1ea045c4b055a926e9a

SHA1
dd7f4704561fa27eef61948b65f103144785a637

SHA256
25221915e8ce308400588a1b7fe07c95a38a10c412d3fafb194b6f6e2e8ec9ff

SHA512
fb07ca92db5503a0fb6c3517fef46d0f9c47c770720555f77f9feb62a4e89e3fc8c03c4b38e96f13ab98a024e0a3ad5edc591c335511891ba9c38af07923b418

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwQm.exe

Filesize
642KB

MD5
012d72b014913cc2585867e9d3e0011f

SHA1
124b4832e959c86ed93327200e5a660ef5153ff9

SHA256
c13cb08df7d1ca6ff4cd4b31362d60e1654f8af114cc686bf0897e486c619e65

SHA512
834e2252076010ec3f881cf09bd02d66c091e92cf79a2e90415b3fa10bc2fec9de565e070db5706268f81916b0201681e4f50706c60a707b78e6b761d2a29c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIYg.exe

Filesize
242KB

MD5
5c5270db844d30b68e27ab3cc79e807e

SHA1
4aca11eb1562fc9a4f75eacefc8dc6970fbad387

SHA256
7ed3930cb57dfe6a399b93e081e99c076e1153cfb1156bc873568a3bb0ef6160

SHA512
ec2b1f98d9ede1086f08092e58051874aaa132532f0dec877875042dbb1137241a74421a9505ccb8cc7a46434116eed33c9f988324d32fa632df2d2f2e65bdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkwk.exe

Filesize
219KB

MD5
bfcaa921f3bbbd2fdef2cdc2a9fec30d

SHA1
f145114dc005e9fc9fc0db15101b8414d44a33e5

SHA256
acd92711f22d565cb32f8ddf6a94334de932ae05a053d9e58e15ea5db32f726e

SHA512
c8a67fb0a2f5327da22f26dbaa28d824c59fccdef0dadb2062cbf28bf7a047c2b4a29c86aa3a7a745b985551fbaf8c985aba1e4f10d08e7fd65d1d2f8e31135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\logI.exe

Filesize
437KB

MD5
e4648ab1af5f684613361813ad21f528

SHA1
8ebb65180610b1197441795b14355ab23fcf0a09

SHA256
9cf1210b97d2ab728a40fd137d0db50d295c938c93299d951802f1c6a929315c

SHA512
866cbc25f30dc9bdee450cf5e9190bf2d1b864b1ff305c014a3455da2516e4fb893aca80d58df6ee81615125f8cf11a629149bda218fcd18900e66b76e76339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAUs.exe

Filesize
226KB

MD5
0a8b4aa3b7200f98e12e1b08b6e246e0

SHA1
daeedeea980be44042e1fa192cbb24a2212418c9

SHA256
4e7bdf1a2984298e17317f31eaf7d47be03acc119f6295682933cd257e861705

SHA512
9951a3d086926f269366bf881d405a0898de588dff42fd7d35538ff8a642357b9007388bd76f9215fb409035f40b65a956bf867f3bfc5a99b2079fbd4956f174

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIIC.exe

Filesize
814KB

MD5
7ec43468d364fccdc57e6ba2db7d1638

SHA1
19e9da99f045cd2c61ea8e56c22dc4d27a4b468c

SHA256
0c0a13006594efd8cffbb5ec759d0f0ae13197ca7f69973273b302f5ff047220

SHA512
17c44ba222206bf65d7206e2b88d9bf7e6e9de557e3aeff6f619465318fb377883b7b5d69a556473c79f14138eb172e726e1945011523ca5c988ec86358c88aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMkQ.exe

Filesize
649KB

MD5
1829d98efd6ba553a710f299abfa03fc

SHA1
6be3006a428291ff207a389af1fcc04de75d6379

SHA256
c9fb6161dc446cbb70b2e6fde93f5eeeea69dc91c5cc61421872ec0f05455583

SHA512
63f34b5c293dff9691180992e5602ad3ef507ec4059facd2ce8d48b21edce46b5be6ed3aeb1da0494ca0b9634adbd81d7a5d896dc8c7782cc5e4ef5804cb3d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOowsIcM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowM.exe

Filesize
190KB

MD5
96de4801574d19d7c78d580a27b90a7c

SHA1
5aa03f47b8d36ef6aef320470f2f185709671af2

SHA256
c3d4dff4ec612bb1ca92be3be52e592eb7ce224f2bfc6a5633b2f7378850fe42

SHA512
7ec157c01a3d97e63ccf883e2e96e5e88d77f6fc8765aad0dedce80494d59653a719f68d32de243e64669ebbfbd781485d6d1ff8ad1ea5216044bb90d2caa414

Download Submit
C:\Users\Admin\AppData\Local\Temp\msEy.exe

Filesize
200KB

MD5
345fb447224dc548106f024d9c2f901f

SHA1
9a7177ee2fd6c3453017543a4e1afdb61276535b

SHA256
61137005017be1103cef0074513adb37bb5168e05dddc003f47f4aeacaf6b920

SHA512
0ae7800c32525839de8afe4c12233e50241dda9fef42493dd79dcb3d356db2fcf91f9b2c0d38edfa248ba16b8aaa4cb6339a796b9361386f6330900c43991494

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAgi.exe

Filesize
191KB

MD5
afcd2bd892fdd69d0a20793fe49e8231

SHA1
a10b2143f1c28470c3d84903aed74a6a2e43298e

SHA256
b16a1a1c8363d672b52ce32e36f7b4cc022552036eacf8e3daaa55cf332d3155

SHA512
d3421c9f87d647f4beeda6764636e19c4e79220a2f9d2dbe5a05539f3e934e6c7246453550c31b732e124f6c3e3a2f5aa3e3d43b659802dd690d45517bfdf9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAsQIMcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAsQIMcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngUc.exe

Filesize
196KB

MD5
a9251a2c91a4aadaa4362c60a96dcf80

SHA1
5bc6ae53eaed2709d9207d21c0588edb05810f9f

SHA256
85eb337a0741e9b3d61cef3b43123b501b1b8ef7bf3cff90f62daf1747d72ad2

SHA512
eb8127b757f1e35430417a87a10bd8e87c85dd9b6a16139467f100f07c3f0e69ddee311a9aab790638408b13bb2242a0569c8c6e7e6751f281e77b453602716c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkYU.exe

Filesize
190KB

MD5
8e98eb1a18770c2d41cdb1a0f510a6b3

SHA1
85274d846a872f1f5e5565cdc27b5f620431d228

SHA256
8ad17c6576295f1eed7dae7bbbe2f368777f1017d3d18fdd0e50a5244808b893

SHA512
a7b452fcef2c56bfa4629ec6fbc3a3ecd848252d3e8fa5546f588b1d6edd22d0132383a3c79b41b5003dd6a026defbc99cc6ea9c729f9aac25df17883c0530a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyEgkYMM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUm.exe

Filesize
198KB

MD5
08e0647b67aefeabd202165bd597a59f

SHA1
4af3e680ba18ae6d11b9a0942e8885b9ffe9b0ba

SHA256
ad461acabf985782b37e398dbf44031711719801f4b9a450018fe3b01ad40c1d

SHA512
b4ee922b07d3326be7116fce2d3ccc231cc19f8be8d29f49c29fb2384e2c3b65316967dc5404bda25df0ad6ead8610927fdbee8c03309a817a32463787f146dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\omIMYgIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQI.exe

Filesize
188KB

MD5
be1217884d518dbad616bda7cea04f8e

SHA1
2113f223ad9447ef1a44d90bdfa233b95d352b72

SHA256
22b58eb075a51b1cd52a7c01ac044393240b74126a26f38bed5f3511cc23f95e

SHA512
be3ed37ea5521b807a392838eae3318777500f8b0eccbdbe0b2b3103f4180d27de5a0e5ac4ea446d75532c46f8da347f24e7e9e87991f373018256a7c9b30eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQwAMYMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcEM.exe

Filesize
5.2MB

MD5
585d05ece257b7715cf0d3e80ed6cb38

SHA1
fb48488378633b948ade4a3aa3be144e5bb1a8a2

SHA256
44843e9a3a00a03cdc5d97a986791fa17d935bb28c85a6528c7daebbecc11a48

SHA512
ae41fe555dafa4460c6b9188ac640155cbc3b53855a3a3bd43e681b6cffa9099fc101295748c329ea4ef884379111bfe76aa574883f59bf354c73290b0ea242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pokswYIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkoO.exe

Filesize
202KB

MD5
264856f3b29ab6136da2e3457722f1fa

SHA1
e96fe96cf9acefc2389d976edef9b4a32be2c3ea

SHA256
cc17051d0a14f5fdd09f715776420908e602d399b3653094c42374ebeb528b79

SHA512
612f0b5b6d3b4f10e771ad093d6ea3f467700ff3aa95955db86dcf8446512fca6a3bcf184dd01ce3baa5340a21dbcfdb31609d1e1a6cf9c46318056629f23409

Download Submit
C:\Users\Admin\AppData\Local\Temp\rKYAUcEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMgMMAAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\skcG.exe

Filesize
188KB

MD5
81132bb62959223bd00c7a3687ab5d09

SHA1
45a19913d4c23767562a8a977a581b6b6211461a

SHA256
18a4afcd778262391956e0761e05d3b2723393d8cc1dae5c4f03a13b18b52cb2

SHA512
34490eb6548132bf251238479b9bf47b893f588560b9a562a1e89ae7e01bb7a311bed859576562e6ef67053db00226c75ab5c75333f25cf7bdb1e745c91e8c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\soAo.exe

Filesize
202KB

MD5
d1f7f8ce7898fafebc278016bf038f4a

SHA1
187ea1e8645712d336d7c5339aa0e2532ac0a484

SHA256
0743a4178835753217b8a274e9732857fbffb0df54db8ebda377428a4fbea630

SHA512
f3a6cd2281d2d800af958569da7ad8ecbcefd143e8e9b98789e6c07ce327a259cc9391ee3f9509b23ff04516a47e159d4f440310b067cf976dae2405c2ed6c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEAs.exe

Filesize
203KB

MD5
2327ce2172a52ec1a27296b2faa29c11

SHA1
4384960e4809cd1bf7e0c9f379154c520d189e50

SHA256
b3167b61c4f68734a9dffb2cec2b1e0e3d3b992aaa9dab9eceb896040733bdc7

SHA512
af80534c021cb1fb058904ff3b93d18173196d7b34e6b1c905c94c8fa9c80a790192ff4ec6111a16a6f314fb6eb66f673ef75014452a11d7291e63f11c668f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIYq.exe

Filesize
200KB

MD5
ea553a3fc0b1655355f8055b6fc51869

SHA1
4c1e44f14781aecd0176209939169f3a014a5fcb

SHA256
d01c73aa9f46a24c4ea6d158dc55ccf1d4b2844a118f4e64d8000cfba1a1f7fd

SHA512
14d71bde3a1b67103a9ccb95f9f2619fe23f3f7714b1d196d9942928c21834e3eaf92f5443eb7e20dd6cfa2d4eba5d6ac166e96a0437412dd0a1061c55ad8d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYck.exe

Filesize
214KB

MD5
6473f1e86a4fdff2389c16b46d9d1eab

SHA1
79e0e42029b9c26382af56dd8245afa84d4d1d3d

SHA256
74469ffd58c14b0beb76870657bcafc2ce43f75420d7bf28f9156cee066e5c03

SHA512
ac050c93597463f949856cca97341ea53484ff99c9fef595434f455cee3105a91ca14b6a3d733e7dc67ff79339bf8edfb9a242335108a6298deb6dd737a79b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucIq.exe

Filesize
198KB

MD5
7fc787af0ad77d6e0da9a7a4a472e086

SHA1
e45227eb1c7094d0f01eed9e045761d67c39863b

SHA256
0c04142dbe4552dfea4a114bed60662658facba4aaa62542ac2d9c99c29c28c3

SHA512
55d5adbe146f024adf2131612e88461e5d0ad8c8c7f8fa55150fc2116de238c1db013a4c8ce8b7081f199231b9a64e3ac3aae07f6b1787f4bb8d29a2a7a69441

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEUs.exe

Filesize
2.0MB

MD5
77a2dbedec43b461f81a0adcdf294db8

SHA1
07903961d50b091be56a93c780c82fe532b0967d

SHA256
23c5b62bd4acaa7753fcacb39be29057488efcedf3763771fa4d8c75e2c3fa2f

SHA512
bb6fd8cdc17e1f69f91aa9317a843230e4ac2797ab44f38aa0664e3bea44522b634bec9dabc5cec1839fc07c61dd3cbef596b9b05a5d628aa7c5d7236d7b4031

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMAk.exe

Filesize
190KB

MD5
834a14e9668a5735faabb8ee2335b4b1

SHA1
ca6a4256f6f4b6af013d4066e5356712480102fe

SHA256
f539684934de9afc05be6dd3b03565505f8681b59c6266ed5c2ecdaefeb90d60

SHA512
edd467c1f4c935e93f2c5f313f9549a1ba334b0c4ef36e737ee00a943b7a7b64e772a3e9d1faf19ee7e2f83d6936904c33a70d7a4553bab42f2e25f3640cec38

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAwkEkEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQIq.exe

Filesize
206KB

MD5
6c4c7a9387ed5c0c422708edbdad4df7

SHA1
b9cff7005e7b5e16f859196d973aa05cdc153ff3

SHA256
21dfff353b137e39d2758bec20e72b8e679643b5ba6e273871a3cd8e488ecf31

SHA512
b4be2e4443bea0bfffd352254026902e9f29a6f226ae9f5e022db733f718ee5a121d2f0225a676e21b82f8bacdb952b133b22650d82ba314b54535df03ce59c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysgcAoIA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgUC.exe

Filesize
519KB

MD5
4945ff0c4572c6c717bcbd580b2153ef

SHA1
20a8ad23a351dbeb81a823436ebe9a05fd032e05

SHA256
413d4849b68da11a4c0121b525468c7b2d9e6fbc81256d9e4bde59dc74dbfe9c

SHA512
b012a51d52d62c5919913cef45057e4ffaaa4c875ce60b234dfd3f1f9ec54943653dc28d2bde41364679da3d612741e96718c09bd45de1799b4a54b6003c9104

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkYi.exe

Filesize
189KB

MD5
259584699d31cf6efca27f95921a88ec

SHA1
63e18d219f45194445ab8734ba4ea832c46ef095

SHA256
e7da9f0e83164c8129c226580dc68611350ec3953b981599e5f42d117a314e6d

SHA512
c0497182aac384679946ba3a85f042bef5454973231b5f7ab51d57ffac632c9eb652b3ce9788353efa775053d32bdb8e6708398ca3bda4890694865f4f2de0a9

Download Submit
C:\Users\Admin\dyAIYgoA\cQUEwEkc.exe

Filesize
199KB

MD5
77193d378316d9d405a1257f2467167a

SHA1
26c6c34ce4e1422fc6b400b02d9579a8e8380f6b

SHA256
a447b07ea2e046a873de9f9402de453caa893dfa010c55f4473cc10090cd024c

SHA512
b0f88f8d5c4ecf6dc87f147b994a86b9efd5b56bbe2a2c3ae7b93c904f779abf0be2e28c4627f9dbb60efbc95da06668a8d7bddd3ed70caea8e7d86a20742052

Download Submit
C:\Users\Admin\dyAIYgoA\cQUEwEkc.exe

Filesize
199KB

MD5
77193d378316d9d405a1257f2467167a

SHA1
26c6c34ce4e1422fc6b400b02d9579a8e8380f6b

SHA256
a447b07ea2e046a873de9f9402de453caa893dfa010c55f4473cc10090cd024c

SHA512
b0f88f8d5c4ecf6dc87f147b994a86b9efd5b56bbe2a2c3ae7b93c904f779abf0be2e28c4627f9dbb60efbc95da06668a8d7bddd3ed70caea8e7d86a20742052

Download Submit
C:\Users\Admin\dyAIYgoA\cQUEwEkc.inf

Filesize
4B

MD5
c37a2ceea1bf2ad6c19c5733f703e77c

SHA1
4fb9bfe18978d57aaa8b9e0a29e5ca1c9fd13476

SHA256
bf580c7163e152df78c9ec2baf8c8d4ac7fed535757abd138a3747548877fdab

SHA512
e44ca7d631943f23974cfcfd4d98afffe072783a846e62cf544896998830612831296a9973086f2b10d687b1b5864a190a61b992aa8fbc0493e7f528ca7780ee

Download Submit
C:\Users\Admin\dyAIYgoA\cQUEwEkc.inf

Filesize
4B

MD5
3dff1b0302f052714d9a63a21ca071c0

SHA1
085a92e0def7974451c9f75b35c2fb8c79dcd56d

SHA256
785c842733b485250569fd3b9eb9cb538e5cb2bea6e1739a139937a8497dcf1f

SHA512
e075986b667595b60654509fc8b7687f33521eb7c34bb36ad3629bde9f36dcfcb8eb106131a634162a402148a516135436c1fa4ab05ff3b29d9fb18b2bd8591f

Download Submit
C:\Users\Admin\dyAIYgoA\cQUEwEkc.inf

Filesize
4B

MD5
291112f957282307fbedba282dcfa26b

SHA1
133a777f9558315b379d2d7777fa860f9d04b2ee

SHA256
90be5ee6a4eb349a7cc2003a622e62bae3304c1a53bd00ccdea2af4d3430814d

SHA512
580aed9a89bfb2edb0b6852976919a194884447a1897aa4507576d812dadb1477846ca034689362e5f0a84df056664ad329d3a6ef6897e6c12dd710885c87017

Download Submit
memory/228-476-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/228-313-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/640-514-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/640-504-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/736-460-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/752-468-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/860-532-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1212-133-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1212-152-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1232-237-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1232-197-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1284-340-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1308-434-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1344-210-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1352-540-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1448-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-351-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1816-336-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1840-249-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1840-262-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1928-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-166-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2084-154-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2120-388-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2120-380-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2164-503-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2216-408-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2216-416-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2812-222-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2812-233-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2892-487-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2892-477-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3012-275-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3012-263-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3052-220-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3052-559-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3192-424-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3340-272-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3340-288-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3372-326-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3372-315-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3392-175-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3392-192-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3480-450-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3536-495-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3560-397-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3724-377-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3800-301-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3820-522-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3948-396-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3948-407-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-575-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4216-364-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4232-585-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4448-541-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4448-549-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4464-167-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4464-179-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4792-248-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4884-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-198-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4984-442-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5008-567-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download