61fe5a5ae9f75bcbed369a70c0d89a6af71b4907d4ff68b481e230ac66f2a98a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_NA_1e6e53ed590499exeexe_JC.exe
Size

259KB
MD5

1e6e53ed590499525f4e9a9aef9ad89c
SHA1

cb13ba0144b30486b3582d22bff8c90a4f9e2bbb
SHA256

61fe5a5ae9f75bcbed369a70c0d89a6af71b4907d4ff68b481e230ac66f2a98a
SHA512

d893857f331711a8e5f1755bafd7c5d40eeaf2ef3bcbc14cfb3d08f66669ab0f2da3c4778fcc77590823ff66181590dbc18dfec0dfeeb9a765cea41c6e600199
SSDEEP

6144:gJ8Fkehcn7WXlMM6oStKQa5e8PxleHo00N+rDZPLii+p:gGxJXbzSba5tYo00N+rDZzIp

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NA_NA_1e6e53ed590499exeexe_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NA_NA_1e6e53ed590499exeexe_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	rsYckgUM.exe

Executes dropped EXE 4 IoCs

pid	Process
4128	rsYckgUM.exe
1724	COkskook.exe
2800	rsYckgUM.exe
748	rsYckgUM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsYckgUM.exe = "C:\\Users\\Admin\\bGsskEUs\\rsYckgUM.exe"	rsYckgUM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsYckgUM.exe = "C:\\Users\\Admin\\bGsskEUs\\rsYckgUM.exe"	rsYckgUM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsYckgUM.exe = "C:\\Users\\Admin\\bGsskEUs\\rsYckgUM.exe"	NA_NA_1e6e53ed590499exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\COkskook.exe = "C:\\ProgramData\\EcUskIAM\\COkskook.exe"	NA_NA_1e6e53ed590499exeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsYckgUM.exe = "C:\\Users\\Admin\\bGsskEUs\\rsYckgUM.exe"	rsYckgUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\COkskook.exe = "C:\\ProgramData\\EcUskIAM\\COkskook.exe"	COkskook.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsYckgUM.exe = "C:\\Users\\Admin\\bGsskEUs\\rsYckgUM.exe"	cscript.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	rsYckgUM.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	rsYckgUM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2380	taskkill.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5036	Process not Found
1948	Process not Found
3732	reg.exe
1948	reg.exe
408	reg.exe
4436	reg.exe
1260	reg.exe
4136	reg.exe
896	Process not Found
928	reg.exe
1220	reg.exe
2744	reg.exe
1728	reg.exe
3356	reg.exe
1984	reg.exe
4264	reg.exe
508	reg.exe
3388	reg.exe
2384	Process not Found
2668	Process not Found
2668	reg.exe
3060	reg.exe
5036	reg.exe
4640	Process not Found
3200	Process not Found
4136	reg.exe
1312	reg.exe
2480	reg.exe
3048	Process not Found
1420	Process not Found
960	reg.exe
5092	reg.exe
5092	reg.exe
1344	reg.exe
3044	reg.exe
3552	Process not Found
1276	Process not Found
2164	reg.exe
4660	reg.exe
1628	reg.exe
3388	Process not Found
3740	Process not Found
4492	reg.exe
1808	reg.exe
4416	Process not Found
3980	reg.exe
1492	reg.exe
1804	reg.exe
4268	reg.exe
3356	reg.exe
3016	reg.exe
748	reg.exe
1728	reg.exe
3016	reg.exe
2132	reg.exe
1764	reg.exe
3512	Process not Found
3776	reg.exe
1676	Process not Found
1808	Process not Found
856	reg.exe
4176	reg.exe
1804	reg.exe
3388	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	NA_NA_1e6e53ed590499exeexe_JC.exe
2960	NA_NA_1e6e53ed590499exeexe_JC.exe
2960	NA_NA_1e6e53ed590499exeexe_JC.exe
2960	NA_NA_1e6e53ed590499exeexe_JC.exe
2924	NA_NA_1e6e53ed590499exeexe_JC.exe
2924	NA_NA_1e6e53ed590499exeexe_JC.exe
2924	NA_NA_1e6e53ed590499exeexe_JC.exe
2924	NA_NA_1e6e53ed590499exeexe_JC.exe
2368	NA_NA_1e6e53ed590499exeexe_JC.exe
2368	NA_NA_1e6e53ed590499exeexe_JC.exe
2368	NA_NA_1e6e53ed590499exeexe_JC.exe
2368	NA_NA_1e6e53ed590499exeexe_JC.exe
1356	NA_NA_1e6e53ed590499exeexe_JC.exe
1356	NA_NA_1e6e53ed590499exeexe_JC.exe
1356	NA_NA_1e6e53ed590499exeexe_JC.exe
1356	NA_NA_1e6e53ed590499exeexe_JC.exe
3360	NA_NA_1e6e53ed590499exeexe_JC.exe
3360	NA_NA_1e6e53ed590499exeexe_JC.exe
3360	NA_NA_1e6e53ed590499exeexe_JC.exe
3360	NA_NA_1e6e53ed590499exeexe_JC.exe
4748	NA_NA_1e6e53ed590499exeexe_JC.exe
4748	NA_NA_1e6e53ed590499exeexe_JC.exe
4748	NA_NA_1e6e53ed590499exeexe_JC.exe
4748	NA_NA_1e6e53ed590499exeexe_JC.exe
4580	Conhost.exe
4580	Conhost.exe
4580	Conhost.exe
4580	Conhost.exe
1580	Conhost.exe
1580	Conhost.exe
1580	Conhost.exe
1580	Conhost.exe
4468	cmd.exe
4468	cmd.exe
4468	cmd.exe
4468	cmd.exe
1892	NA_NA_1e6e53ed590499exeexe_JC.exe
1892	NA_NA_1e6e53ed590499exeexe_JC.exe
1892	NA_NA_1e6e53ed590499exeexe_JC.exe
1892	NA_NA_1e6e53ed590499exeexe_JC.exe
4108	NA_NA_1e6e53ed590499exeexe_JC.exe
4108	NA_NA_1e6e53ed590499exeexe_JC.exe
4108	NA_NA_1e6e53ed590499exeexe_JC.exe
4108	NA_NA_1e6e53ed590499exeexe_JC.exe
4640	Conhost.exe
4640	Conhost.exe
4640	Conhost.exe
4640	Conhost.exe
2384	reg.exe
2384	reg.exe
2384	reg.exe
2384	reg.exe
1312	cmd.exe
1312	cmd.exe
1312	cmd.exe
1312	cmd.exe
4536	NA_NA_1e6e53ed590499exeexe_JC.exe
4536	NA_NA_1e6e53ed590499exeexe_JC.exe
4536	NA_NA_1e6e53ed590499exeexe_JC.exe
4536	NA_NA_1e6e53ed590499exeexe_JC.exe
3424	Conhost.exe
3424	Conhost.exe
3424	Conhost.exe
3424	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	rsYckgUM.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	Conhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe
2800	rsYckgUM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 4128	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	88
PID 2960 wrote to memory of 4128	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	88
PID 2960 wrote to memory of 4128	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	88
PID 2960 wrote to memory of 1724	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	89
PID 2960 wrote to memory of 1724	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	89
PID 2960 wrote to memory of 1724	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	89
PID 2960 wrote to memory of 4252	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	90
PID 2960 wrote to memory of 4252	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	90
PID 2960 wrote to memory of 4252	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	90
PID 2960 wrote to memory of 2060	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	98
PID 2960 wrote to memory of 2060	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	98
PID 2960 wrote to memory of 2060	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	98
PID 2960 wrote to memory of 4364	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	97
PID 2960 wrote to memory of 4364	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	97
PID 2960 wrote to memory of 4364	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	97
PID 2960 wrote to memory of 1672	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	96
PID 2960 wrote to memory of 1672	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	96
PID 2960 wrote to memory of 1672	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	96
PID 2960 wrote to memory of 3204	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	92
PID 2960 wrote to memory of 3204	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	92
PID 2960 wrote to memory of 3204	2960	NA_NA_1e6e53ed590499exeexe_JC.exe	92
PID 4252 wrote to memory of 2924	4252	cmd.exe	100
PID 4252 wrote to memory of 2924	4252	cmd.exe	100
PID 4252 wrote to memory of 2924	4252	cmd.exe	100
PID 3204 wrote to memory of 4276	3204	cmd.exe	101
PID 3204 wrote to memory of 4276	3204	cmd.exe	101
PID 3204 wrote to memory of 4276	3204	cmd.exe	101
PID 2924 wrote to memory of 1592	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	102
PID 2924 wrote to memory of 1592	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	102
PID 2924 wrote to memory of 1592	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	102
PID 2924 wrote to memory of 116	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	104
PID 2924 wrote to memory of 116	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	104
PID 2924 wrote to memory of 116	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	104
PID 2924 wrote to memory of 4864	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	109
PID 2924 wrote to memory of 4864	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	109
PID 2924 wrote to memory of 4864	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	109
PID 2924 wrote to memory of 3732	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	108
PID 2924 wrote to memory of 3732	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	108
PID 2924 wrote to memory of 3732	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	108
PID 1592 wrote to memory of 2368	1592	cmd.exe	107
PID 1592 wrote to memory of 2368	1592	cmd.exe	107
PID 1592 wrote to memory of 2368	1592	cmd.exe	107
PID 2924 wrote to memory of 4092	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	105
PID 2924 wrote to memory of 4092	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	105
PID 2924 wrote to memory of 4092	2924	NA_NA_1e6e53ed590499exeexe_JC.exe	105
PID 4092 wrote to memory of 1276	4092	cmd.exe	113
PID 4092 wrote to memory of 1276	4092	cmd.exe	113
PID 4092 wrote to memory of 1276	4092	cmd.exe	113
PID 2368 wrote to memory of 2084	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	114
PID 2368 wrote to memory of 2084	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	114
PID 2368 wrote to memory of 2084	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	114
PID 2368 wrote to memory of 3116	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	119
PID 2368 wrote to memory of 3116	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	119
PID 2368 wrote to memory of 3116	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	119
PID 2368 wrote to memory of 3700	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	118
PID 2368 wrote to memory of 3700	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	118
PID 2368 wrote to memory of 3700	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	118
PID 2368 wrote to memory of 3980	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	117
PID 2368 wrote to memory of 3980	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	117
PID 2368 wrote to memory of 3980	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	117
PID 2368 wrote to memory of 3604	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	116
PID 2368 wrote to memory of 3604	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	116
PID 2368 wrote to memory of 3604	2368	NA_NA_1e6e53ed590499exeexe_JC.exe	116
PID 2084 wrote to memory of 1356	2084	cmd.exe	124

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\bGsskEUs\rsYckgUM.exe
  "C:\Users\Admin\bGsskEUs\rsYckgUM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4128
- C:\ProgramData\EcUskIAM\COkskook.exe
  "C:\ProgramData\EcUskIAM\COkskook.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "USERNAME eq Admin" /F /IM rsYckgUM.exe
    3⤵
    - Kills process with taskkill
    PID:2380
- - C:\Users\Admin\bGsskEUs\rsYckgUM.exe
    "C:\Users\Admin\bGsskEUs\rsYckgUM.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
    C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        8⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        10⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        12⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        13⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        14⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        15⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        16⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        17⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        18⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        20⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        22⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        23⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        24⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        25⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        26⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        27⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        28⤵
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        30⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        31⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        32⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        33⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        34⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        35⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        36⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        37⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        38⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        39⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        40⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        41⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        42⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        43⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        44⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        45⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        46⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        47⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        48⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        49⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        50⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        51⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        52⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        53⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        54⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        55⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        56⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        57⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        58⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        59⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        60⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        61⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        62⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        63⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        64⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        65⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        66⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        67⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        68⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        69⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        70⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        71⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        72⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        73⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        74⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        75⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        76⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        77⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        78⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        79⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        80⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        81⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        82⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        83⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        84⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        85⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        86⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        87⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        88⤵
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        89⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        90⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        91⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        92⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        93⤵
        
        PID:4632
        
        C:\Users\Admin\bGsskEUs\rsYckgUM.exe
        
        "C:\Users\Admin\bGsskEUs\rsYckgUM.exe"
        94⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        94⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        95⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        96⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        97⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        98⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        99⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        100⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        101⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        102⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        103⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        104⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        105⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        106⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        107⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        108⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        109⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        110⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        111⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        112⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        113⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        114⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        115⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        116⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        117⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        118⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        119⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        120⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        121⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        122⤵
        
        PID:1220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        123⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        124⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        125⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        126⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        127⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        128⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        129⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        130⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        131⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        133⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        134⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        135⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        136⤵
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        137⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        138⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        139⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        140⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        141⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        142⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        143⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        144⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        145⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        146⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        147⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        148⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        149⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        150⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        151⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        152⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        153⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        154⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        155⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        156⤵
        
        PID:4100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        UAC bypass
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        157⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        158⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        159⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        160⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        161⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        162⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        163⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        164⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        165⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        166⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        167⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        168⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        169⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        170⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        171⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        172⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        173⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        174⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        175⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        176⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        177⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        178⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        179⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        180⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        181⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        182⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        183⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        184⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        185⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        186⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        187⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        188⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        189⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        190⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        191⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        192⤵
        
        PID:240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        193⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        194⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        195⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        196⤵
        
        PID:1272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        197⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        198⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        199⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        200⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        201⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        202⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        203⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        204⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        205⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        206⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        207⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        208⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        209⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        210⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        211⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        212⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        213⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        214⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        215⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        216⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        217⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        218⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        219⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        220⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        221⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        222⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        223⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        224⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        225⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        226⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        227⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        229⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        230⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        231⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        232⤵
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        233⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        234⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        235⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        236⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        237⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        238⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        239⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        240⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        241⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        242⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        243⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        244⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        245⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        246⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        247⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        248⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        249⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        250⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        251⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        252⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        253⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        254⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        255⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        256⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        257⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        258⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        259⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        260⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        261⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC"
        262⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC
        263⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcgAAMgY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        260⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKogwwcE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        258⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCYAQsMY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        256⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIMQkYMA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        254⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcIQQEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        252⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAYckswQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        250⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAUAcQIA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        248⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiwkEkIY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        246⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGgQwgAs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        244⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auUEcMMk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        242⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIQskQUs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        240⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUAwoIgk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        238⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaAskckA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        236⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQsQIAIk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSkAccUY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        232⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMwMAEcU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        230⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKswgEIY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        228⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyoUYwIo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        226⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        Adds Run key to start application
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmIkAccc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        224⤵
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        224⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkEYEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        222⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tewkkcUE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        220⤵
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awUQYcsI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        218⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgYkEUgo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        216⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEcEggMo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        214⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AocoEEIE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        212⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSwoUUcA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        210⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSAYcsEE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        208⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoMUYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        206⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqUoQMYs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        204⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcggskMA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        202⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueoMQcgg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        200⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmIsckoA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        198⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWgUkYYY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        196⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcAkgUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        194⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgYwEsIw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        192⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqsYkQgM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        190⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQsAAYEg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        188⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKwksYwc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        186⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUMkEoIg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        184⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vokQYAIM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        182⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkogsIsw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        180⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kioYkwYM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        178⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqIQIYIE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        176⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOAoQAIc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        174⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niMAIwUE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        172⤵
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUcwkUoU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        170⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyUsIIgE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        168⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yewYQoYI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        166⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiMkggcQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        164⤵
        
        PID:4100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmUoUkEc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        162⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqgQQwcw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        160⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciwMEEQE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        158⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMEsAAco.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        156⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSQQkEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        154⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScYkIMsU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        152⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIcUcAYg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        150⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukwwEAYc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        148⤵
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYEYQcsg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        146⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEYMkwMY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        144⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgwsUkIU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        142⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQEMIMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        140⤵
        
        PID:3916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQQwEIEA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        138⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSkMkQcY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        136⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyoEIQoA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        134⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        UAC bypass
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEkEQQMI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        132⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgooYckw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        130⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWYkQcIg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooQkYkkY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        126⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iioYIkwI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        124⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUwYMkYA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        122⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOIMQUwg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        120⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dusQgkMc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        118⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmkoIQss.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        116⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkIEAEYA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        114⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        UAC bypass
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyIcYEYw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        112⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWEggAwY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        110⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAEIcwEw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        108⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCUQcwIE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        106⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAcwQgQo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        104⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoEgQAUw.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        102⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKQYYAkY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        100⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAAYMkUI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        98⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qycAMQcc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        96⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuQMMIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        94⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEAkAcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        92⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xosAsAEc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        90⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMksgIYg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGAgQgwg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        86⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYIocQss.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        84⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGMsYwgE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        82⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEggwoUU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        80⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyocgwIA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        78⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEMEccgE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        76⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VscYUEYA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        74⤵
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQcAsUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        72⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMYkcwck.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        70⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIIwAcA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        68⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        UAC bypass
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IskAYUoM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        66⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqsoUQIo.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        64⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIcIwQcc.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        62⤵
        
        PID:2808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUQwsAkg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        60⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwIwsEAI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        58⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOAYQgws.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        56⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYcoIAsY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        54⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeYYEgoI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        52⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOQoMYIk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        50⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMAkwwYs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        48⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIMMccoY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        46⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUcIgswE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        44⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyQUwwkM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        42⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGAIwook.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        40⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksIQEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        38⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQcQYgIY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        36⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOQckooI.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        34⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUEEQMss.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        32⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zocgwQYg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        30⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKkYEUAM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        28⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmEUUsUs.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        26⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUsskAIg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUgoEYkk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        22⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSQkwUEg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        20⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaUccckE.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        18⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkYskAcA.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        16⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiMoIcQg.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        14⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeAAAAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        12⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jowIIIoY.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        10⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAsYUQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        8⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSkEIIkM.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
        6⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1580
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3980
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgwsQYUk.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3732
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcYEscEU.bat" "C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2060
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

Filesize
390KB

MD5
783ba53fa85e6b4c95da26261d0f7a17

SHA1
44ecce796510ca531fa04f300743549943768a03

SHA256
77dc49582a0756e0378910efdec007a7383d916b61189e27fffe54c1e07f7db7

SHA512
5c5f770f161d85aefc7ae568fbcf7f15dd008cff6f7a05c2eb0a4ea40f53c2a366dce1d5f00e833a62452cd3b851f0d00e442b9fbee486a5c951852f8e20abe7

Download Submit
C:\ProgramData\EcUskIAM\COkskook.exe

Filesize
195KB

MD5
04c7f035b1f4858bd7c0c7dc5ca3a0e5

SHA1
fbc33b99618941dc02918af1f3fa445327ed0f65

SHA256
2a9ce991d1e2e96f0093f513c59893dedb2fe3973c9c8af10251b27cc12f8895

SHA512
97f36117d15833a82785e69b2768012cd70bbaad55aeae158973e1e808e91abf1107de0e6549a92cd401de51eb0990a28269d53611d1f9b97153d2618c8a1a02

Download Submit
C:\ProgramData\EcUskIAM\COkskook.exe

Filesize
195KB

MD5
04c7f035b1f4858bd7c0c7dc5ca3a0e5

SHA1
fbc33b99618941dc02918af1f3fa445327ed0f65

SHA256
2a9ce991d1e2e96f0093f513c59893dedb2fe3973c9c8af10251b27cc12f8895

SHA512
97f36117d15833a82785e69b2768012cd70bbaad55aeae158973e1e808e91abf1107de0e6549a92cd401de51eb0990a28269d53611d1f9b97153d2618c8a1a02

Download Submit
C:\ProgramData\EcUskIAM\COkskook.inf

Filesize
4B

MD5
8676c0dc951966f07ade2ca33c26975c

SHA1
18c6fd91e5accf6603a0d36462c7542299a06528

SHA256
a4bfe7fd3b0e64d40eedd5f6857647f2ea89a47a720c2185f710ca0849961e76

SHA512
9f113825e5ef6683871a6368311d3dd97fdf613ff3bfdc3d6c7f412752cae1edcbacdba246fb01ff7303a7af6c5e0f9f4aa1a8db8931719ba365f0fad2448fd8

Download Submit
C:\ProgramData\EcUskIAM\COkskook.inf

Filesize
4B

MD5
9f8b7bb245d0d9fc20bfa64df01197ee

SHA1
749271b18712ff0946768d6364c45fbab043a08b

SHA256
b0f7ed7a141656c6854287f826bf973abaa5a2505efbec2afbfd840c05505e38

SHA512
8432b2b1e12b006ece0025b9d8788949dbcd6c53090c8f1d58b522e7681d4d8edc3e1c12cbadf87b09078202b231a42d8c76e443dcfd6fc2d8ae69236ffd5bd0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
325KB

MD5
a065f7ff3b30fe1d58c107c7b16ac0d6

SHA1
17267697da3d9fa5e6e8032ce00e8a6a96189020

SHA256
00629ca2cfa55ae2c7fb5cc6bf0ce613b8c2eabcf86b788bcff15f267c1a6f93

SHA512
dcd182e5cdb41532e1826a4509fa40d26c6c0356b6d679a9ab8051ec5431ddc9f02d0af4466c8bb0c7efc7d25c53acf29455bd1d72101e571998b8f40779c2e6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
237KB

MD5
a14d5e333b897cfb4a616062b52ce6c0

SHA1
8c320f7b5835a2d2d4ccbfef013783f2ab9d1e92

SHA256
261d5082f311b93291752b817b4708b248b09a986a792c5908cf9ab12a7a807d

SHA512
674821d4491afc0b80b2ee5890e7bb173f027d85646857cf00820b1b0e74867f18c4229f6b762b444e7100ec3accd0726c520a9e04a1ba78882ea85a29882e6e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
225KB

MD5
4da385d5835bbd9dd358e8737833e2dd

SHA1
d653b9ec0c3b32fea96bdf54a508e550f664ef7b

SHA256
5d59ca3942b484d1191e1adc7ba974a9740d507692e4695b369886d97c205b82

SHA512
edfb795637c1f623d8ce596f52f1037cb6602353e6bf65d71db45fa2bdee753f2b64782f1e4c97c0434066dd5e85c05356a49f4eb11829ebc86d685c5c948247

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
214KB

MD5
e9c610f1a827f2bdc79ab9bc1c72040f

SHA1
377bafd7d8ce9ea81636bcf790c1f10f98ee15fa

SHA256
126a61d0a039aeb208ec999307eb5a700f30f8c1ba37737e9d33b95da834cb85

SHA512
c5e3650f8289cad7832faa98e8556544a19dfbf1a7a99518cf31802e02ef77edf63247daba2ddf66347dfdc8b5f3e315fc402bb49f60eb3c5bc51873440f1555

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
242KB

MD5
a7d4c75b3765016a18a097940b1b9f94

SHA1
42a00aca68ebca62c1988e55d0e6a6c891790f94

SHA256
9dbe6f4af792821dc1d4e5838eec9f3724741702539920e8b29fac9720223ff1

SHA512
489e77d3d67903544b4bc56adc075f9d24a1515d5e1a456b226513c2b762991967d5afdfe562b4fdebf8895b3804b287c43325452f636caa853edb353af318dd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
328KB

MD5
e170c3d31c3160a1d069ffabc9032eca

SHA1
d4f2b53f77021ffbf90937a5826ee8cacc8f8d4d

SHA256
2c5ff9b87a10e24f323a8748d74cdd85e825aaee83be14d29a4a3137daa441d7

SHA512
426061885f4e0aa9c168479c94587d70641c3d11019d5897673ac9495f00040fd56d243b658896d0c58461146eb292216f6676fbdf43a0c4213444586ae6fb84

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
321KB

MD5
806cc06aee1d1404e7ffe4dc8701fb1b

SHA1
6ce1f9954cb72137349d77deb5a1267216b9a0bb

SHA256
e12fc2c786ddbe4c9d9b31467ccd52d83321a1c6457c6a4a2b8791dd3ecca06f

SHA512
a28ae48d214c26ffcbe3fb0716c347a71e7c4b94eeebba8f842cf98b3d64be0eef96c916181e60484a6ea57047e6f0a18f909faa20842f9fd6c66f29b43f04df

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
230KB

MD5
43be2ac4ebfbb0a7e7ae8e11cfa21527

SHA1
0022256842f25768057de11237d0ffbb9d0e8a7e

SHA256
9bdcd5cfa367a5daa06b79009f9da46d19a6cb540ba45413b13ddb3465bc5992

SHA512
a2f23bf190cba95a26d7c2be56a81921993c5be53e4d79119e67b167095b57277149ae465f0641fb7693410c809a4007bb842f0811483d9420b62ee723ed0e08

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
217KB

MD5
7cb8b7395e2bc067a08b4d852779d0dc

SHA1
1a74497ba31beb951461454b414cc5facb95e369

SHA256
8cb5565417d04c290cb47c70899065c9c8b97db990fe8e0d8680c7e183ac5c53

SHA512
d2364b29d72e97a4901d6023d072069aab5518e7c4a2319fc73722200d18f8401367dcf70aa44e358d0a65fc583c09fd8663ed90369d07f490055f7d542a3e57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
190KB

MD5
b3a8c5796418a2ea7d3b15a79f4283bf

SHA1
aff47e652230ae10dc2203598079eae8fc2b35c2

SHA256
627eb104154c47441ab3a50c5ea54586147044c2169f9c5d0c1cfaaeec3eee16

SHA512
e0dd9260374a823c490fe5396c58792c18e18e49c7d0f2459728341df38062ba749934b49000daeb6cfe64d753eb693c09064870804c17eda83d4ddd62e38a2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
185KB

MD5
c00dbf8ef6a8657eda692f23c1e7f98d

SHA1
1db6e7dd8611117ecae72f45fef5b54de4028041

SHA256
7003d163ea3300c348937e2b2b5540a721d7058b37c157051bcb65dd00bed0fe

SHA512
6a8d1c89bd0ecb4358a32a8431060effa6aac95c6189c86a7d6548483a20d72e07b533b8f5f3655f48a6618dd50aa2477fb773050b7a4cc18947bf971717b031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

Filesize
206KB

MD5
3eb75c8ff29fa8f0a53824c99fb85c19

SHA1
fbc63539864be88df84810328ab3cbb9be6714b9

SHA256
a40a084b00ffae83f7e242548d0c946f84027608359bde4edb13baa263511048

SHA512
a77ed33f17fad597957ffb0ea01b9a8be4446e9e529a5649025a1ca03aba7e26b155323d48800aecf41020189faf4f88fdc6ce0fc069096aeb1f06138b6bb9e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
188KB

MD5
4100189b1248cb2092b5ed1243f7a2dd

SHA1
7b7c028770ba323755417134848dcdcd542d5522

SHA256
1d5173afade76d005f18c4cf20bd0d0c4b6974f951544b89f4c64060054df8f6

SHA512
840fb7f982ec11fe062153493d4ab7713808977ed8f7b28ebaf294c9e0c2d62a139eaa70e43a103842f1698f6d9f1febc1d449fbd85c29de4e43105cc26beff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
185KB

MD5
c6741082c8ed808f6e36fa4cb7efc173

SHA1
6104b0c79e4f5be9f442108a594d3c425a23e012

SHA256
057d109b922a9fb6a093c5d683f9edc0bb6acaf61eb93a599740d95133ae4b2b

SHA512
35ebe89a46e18b8c92b436b5b987e11d8b7fe757606338b52d65183a1581cd3acbb6fe6a0fac6c1e5861e38f01aeff0ad6dc131577adfd1669c33bdad685d479

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMQg.exe

Filesize
229KB

MD5
af2e1263920a2fc91b5e46cca2cb4e23

SHA1
f56c9ad14d48f2dd1b9880456fd99843c8be8be8

SHA256
36f96096382416549d9b0f13c133402e0f90aa267e7d7d1f994181b9a41abb19

SHA512
d49769ad27d2b3557c24fd8f5b76e9ca343743c46712ffa45e6958cecbfce12bd346b2578b9f0bf1893c69ceff1d06b4645f1bc1864d578e785f6863b766f5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQkS.exe

Filesize
236KB

MD5
b84c192b457a5dfa7039aec3019ad63a

SHA1
76c3e7a552643348ea94b9736a193dc4fd2c6b8e

SHA256
c9ae7608765b659eefa5c68ab324c3ab8a332b038c0f09f435b3ac8674188e2c

SHA512
d71bff6ee24065ca29a5047d036ff81406fd19918dbbfadd07d39b9213b571e28ac773cef4fc7448e620bc1cc2fa59b44072a1f745f3a155d1e0a13afed54119

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkMk.exe

Filesize
316KB

MD5
ebfa1dc5d9be1a7fb6b1ce51ddb9d8dd

SHA1
1aaa43dbf4609e4540a36d8deebcbc9cb4ae9a4e

SHA256
310f6a7c7e0c8e8647620db90c971f9b8e1345e7f25ab43d06fb2c14bff2554a

SHA512
a0d88e0d7f8bfbb07fddd5aea4d9b05fbf733e059b98a42fcc0442802237b60d424bea6ef27615efc4168a39cc94678e3183be876b195239c7f98b35cae1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoEc.exe

Filesize
194KB

MD5
8c5021533c9f36530d1c06a13be2f410

SHA1
344e23a11afac3fb6e6d8d97ebae51dca6d4bc0e

SHA256
c3a0e8628ef19e413ab1f54bad1d20417a76a5a5e17634b44146b83bf88bda76

SHA512
6da5ede8bef6f09237dec8ac7b2ae3f68476805a956b5cb2ff4b8f3c403e14747c20a2a0c8055547c65cebc4e7ba21b82e970a49953056188c7a141cfdfb6d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BsQq.exe

Filesize
193KB

MD5
c38644d17098e48ff361983b77fa138a

SHA1
647da619ad85a6b4c1db922f31e41604cb85c297

SHA256
7be85bcd5fca66a9d0bd3b64aeee12fc838fc02f034e02066eccdf90eb693a8a

SHA512
319f0cefe3c8311cd51077c9dfeed97f979f4d3cfc6836e1fcaf8e7120949b055d56fb37731a362cc46730ba2fea90aaad812730bb53266cfc6b9452e810dab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwQe.exe

Filesize
185KB

MD5
d95e758c0d62d8ca015d5077639b9b9b

SHA1
581d752e51e8d6a89bf7d48a7e0f7ec5308b580e

SHA256
f605b4f3cdaf5e99fd3b74d564563c5dad1ce9eb8e84e315c103113fb1984932

SHA512
2e54647927198316f4894a02fe7d9b83f08c79bfbfa8f7bfc843ed62c2f507a461ddc6f6f5e462568789b7faa978d0e4fea1bf9d8cc453029df6795a3aa9660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwgM.exe

Filesize
639KB

MD5
393211fd3dac99c9de934231b7bfa326

SHA1
1c49468a67c8b6254a0df183e8788515e558c8af

SHA256
0902cd2b643a317e52341c1ff052429e93e8fc9e38a13f1362d52140394e62ff

SHA512
96a83ddd93dc06d8d0658fdef208875dbf33f0838c21b4cf63aed411ac8c85d9d710d24a7a2686e8dd3e474f7a19acc808953b1ac79d7544a1a04a1bbb08ff18

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIAi.exe

Filesize
635KB

MD5
af264413edbf943cab9cff08ac46cded

SHA1
04381dc02dc56938b751bfbe8dcba6c9fe42f25a

SHA256
c48578d09e0c9c8178d84d91f34c423217f7bc5d0ba1b6c24c88348d119e149f

SHA512
870ab52fc646021dca1fc5e6b17093a40797c30a441af503245d2230ac99769c5c0898a48b370119f48003d5bc4024f895117bb23c6bcde5e4dd4e0fe4925b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgS.exe

Filesize
187KB

MD5
c8ef4628fed246c8de43186853d2575e

SHA1
6881aea210fd0751e53d02d0bf776340bfa80195

SHA256
b2359363dd47a562bb7425fe66864720a785bebc9aabc402c2be8b687df78fb7

SHA512
b1da4e3f448b78ee08e11ff9c05d7b038b81b46f586a17dc5abca8f86edfa2fb72a8f5c9bc9da251e04fd76249c539fa275870b515e0050ecb9af2bf46046b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEe.exe

Filesize
866KB

MD5
5e7f3c27b5725c6610c7e978dca8d9ac

SHA1
5e5d9b6e19e5bc7956b05cd563d0d82f7ffbbda8

SHA256
cb53ad3d07c307ceb71689b83187509dc5f184cea89e41a0e3fc50be12010107

SHA512
707d59f66ead805f19fa1bba195bea7732ad503fc586ac9b59557890041b75cd46affdece15766cebe3b14be16b04448930fe1db2a788682d3ab50a7a07a6e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcIg.exe

Filesize
200KB

MD5
b76d78fe832a7ca15b7f71f98c564233

SHA1
8b9f0787cdfed308d0205b51fe9f7ee96f33b3c2

SHA256
2d28ebd48cf335d5c6ba244c31d16271a89ca13dc8b5337d41cdf14e99bd66b6

SHA512
95c802326ce39daa362c88fec40e3afa5c7e773f42728c955000901fb5859142b1efd1e3517f84d612d992a8e44ab5b883253e79bd7f32327ae0c79cf645cdda

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIgM.exe

Filesize
613KB

MD5
df6f28453286457ee3e053b4f882e144

SHA1
5560ee0b7db6867142ca973657c7bba628a1b436

SHA256
4a1ea1022fce13fe8d401592d99b4a7a42240c91c755d9211a39ba57a0361178

SHA512
0c82a61bac85556fbdcbf6df9a5d8451a096ca6f2f9efb217d65eb03ec33706eb6f314d48859e9fa0e817d545da324a1bd7fa56470bab35b89da56a91d78a8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcka.exe

Filesize
681KB

MD5
a3040ee2ca7eb400838179b50b678e6e

SHA1
a830374458cc6f7ca64f7377f8bdfcf2195aed8b

SHA256
c584498a0110341ebc7f96ad09249c476fcca72090b8e8490f0532662d9f3a29

SHA512
9b3f94658216d2d4fac1a4e67930633b7c6c8f748d3cb60ba396ef15ed1cc8c9cf7e0df402105b954a104617009dc56f2e3ac504aa8d64f943625e3eafcdae0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DggY.exe

Filesize
205KB

MD5
240b72c10f34512d131ed965be3d1e48

SHA1
aea39fe50b0c0c2fb55e2ce83c2b5267fbd379b2

SHA256
c1cba7f776153d3c3c59447107802f1867aef22b8e2a4aaf85b824151c537ad6

SHA512
341c012802d82f321009a4f518c180f86e9d9c16173f39ce22dba849d32e02c9744f47540b057c1416be48b386bfe03d625122f35237c31e86c0a4374064c824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dkwa.exe

Filesize
218KB

MD5
0d9e26f532a496d1e317e95d720d9bf7

SHA1
c881a688dec24c9ec1c1601d664878bacd89084b

SHA256
b4fa29bb0a437a41734886adf262702c35190db70a005a1460c0432ae45c24d6

SHA512
42a8e422d57d339cc7d38cf190d878f672b5bed86e0addaf23d12e1d708a407467cdac69cb46ac994de9166746a066b52351f2aca8cc3cfdf53bd665dad4fdd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQYa.exe

Filesize
228KB

MD5
53a6a88492a6edc7e83ac1e5476bd378

SHA1
381c21cc40ead4729fb6f48ef569b5ccf7a1380d

SHA256
edcb3cf88659d07ba96675bf317a3f9beade39c5ebc146fc9f2498ab2359c8c6

SHA512
90c3bc22384214e342b23a0ef7b9d4e3c34a0979d9f9c3472ee77ac962bd8c0f80cfcd992bca334a9451447ca1db5ad131cc3aeac837a62b0defb3609003a3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQYs.exe

Filesize
637KB

MD5
10451097581a53d3077663e843598a00

SHA1
ae3458dc44fcb314071f7495febb19a073d87965

SHA256
a9e8caad7b170c66a80a8c2e08f0bee199fa7fd7fb0811415991ad9d4d19e789

SHA512
3d352497728f149757cf693969716f45b0703a12d781b12bc7c9fe39b1dd2d119791a7b15f858e7d63aea4c971e2717189de2769b6860ab72d13f02ad1ca02b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQo.exe

Filesize
256KB

MD5
a6527ce9c45f3092b158b5cf436fda08

SHA1
c2fac4d98cb2378f3da723f2d4185357d2be5734

SHA256
f87446902309b8ba5020fc6560574111a3a12ce67c842bd35ad54fb9b1982de0

SHA512
4f92ed825fa22beb72f9a9db5780305ef01175708f4c8b06d8e43d88cbeeaa6f6e0ee4243b7ad8ac3c05cae99e33fdceafead13b1a46e76a5806703017cf811e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEUS.exe

Filesize
850KB

MD5
247e3a0db4bbb2fcca7c3f792d5e665a

SHA1
6145c65f30b629725bc432f141572e96a761d551

SHA256
a444ef989fc11c0e99132544a46ba01426de11c4a8e61fdb5e8cf5edc0ff5bdc

SHA512
430baf90b0b55fef38cf34a01503d55159eaefedf8c537ba94218f670459ecaa060db9d58ebaa71c326242833c0792752d602252b29c7f3385f1e2b2d8715493

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYIY.exe

Filesize
223KB

MD5
a4dce971c3a81b69c0a8e9962559d4d8

SHA1
dcfecd87640e93dc993c75ea504825b5e08b8d64

SHA256
9e757777b51b3e07a48424011a71ab130617082756ee6c251736cbe8f6be2596

SHA512
7a39c511aa83497a5bc79403ad1f19fb40e46651029d197c010257a6471e2de170f95d0e546526fc30ffb0bb989c16ec5dd3b276d1fffb068c6e7369c6ef60bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fcgy.exe

Filesize
207KB

MD5
c4a92d40597a1fcc311272ccf4eab38a

SHA1
71291b00563f2b0edf47fa880e0780d1cbdc526e

SHA256
8b0d2fcd4e8f6b8300626e06849a60e4803aeb7edbd01a33a9a6b35d19cfecab

SHA512
304fe9c47d45ce0cd8e008945271dfb2659fc2d85ca780d9703a55c4e34ba37159a224a79a68118beaf46938404700682fe53585b134e03458f0a90f7ac2a59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwkE.exe

Filesize
193KB

MD5
dfefc23b35c2da833a749e8b461faf21

SHA1
7050355330e32f77488d6676e553d0bca0125ed2

SHA256
9614f537af1717a96ef1a3cb252881ed39317562c132ca8c77dfc9a854eb733d

SHA512
2306589b4ec0a0b3979b3650188373476927f7639f6a7aad349bc8d5703338b07982ce90b9b7ea72793a2493787246e7c7692c64ee850d4a31af20aec139e7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEc.exe

Filesize
956KB

MD5
d29cadc2713357b68550ead0f25ae2f5

SHA1
d72f9d12d4b3aa5bc33d97904b0f33dba4b642e7

SHA256
69e037b5cb8300253209dc9a8c53bfc49628f6cc4855deebd04a15d263a96023

SHA512
8f2de708dcfbb2db6c0692efabc2c69f757da4bd6d4bf7475013366ae5f0a43e7c50c1034d92fd26214402e24445e1fbd9dbc6f2acd062e1d4cf19df7d04fb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IocW.exe

Filesize
189KB

MD5
92320484d63d359db0f8bde466b2aea5

SHA1
0a8d69400a0608e39d87df248b097319eb615bf8

SHA256
edfef954fa634258e81654d475231ce8db8ec46f4a697ced7dad155ebe47a695

SHA512
ff07df82e2a7743f7be99c2362f0bf9a146012d6532a7fa39411e2a2edaaf842922061fb353bdb49cc683815757a7a0d00d24b48116dd574df6efdfca21fb87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAIK.exe

Filesize
206KB

MD5
679b3d2375f507781e6640e25ae41b0a

SHA1
737eb3b859de9cd02b02d203a4e71f899783d31d

SHA256
362e1d1d9e78af2e69d34d17fb31a1b451d2ee1dcea0a1b2a4ac8677f982e9f8

SHA512
579dbed88b4fc7f8395c08d3ace017020b87cf3004d9954e3ee276bd4d102dfa3c11933af7a4a5744357f393c682f29495a59b630c4837fa43d1ef351bdbe146

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUsskAIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgUG.exe

Filesize
196KB

MD5
258a7c37dd6a3fdcc21d59b349bced11

SHA1
e5abe9fbf24858e6fb71bb8f5e5231f7160f9288

SHA256
4d4e4495a539a1d2a3e86944b85c28d5580c107e8fad71e2454d0fa27f40b92d

SHA512
20a0501a34b08cb91480849ed96ed009a6210ba5168f352631aaa8a5a2efd3d51ae9f1633c04ae9e1dc648fb65c273a5162500ef804d0a06a6e2b82fb0759ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JosQ.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkUs.exe

Filesize
558KB

MD5
1db0717dc0152e50c3f88e6855d720be

SHA1
5d524b811c7e11241c8d4ea65a2a919046b77058

SHA256
6afe2ab115df45bd187d919b6c95094d43304bee060bbdeaf641eb085e3c2afd

SHA512
3724969acd42551c5058737f8e60e7cf418fe7d96b3c8b62c7c97fd5bb2c3b8cbfa2385e4911db8d5bc908ce94834d3110daefd9a822a2fd3daf768bc570351f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsEI.exe

Filesize
208KB

MD5
6edb35b29c42deb236e580652c1d4b6a

SHA1
2ffd2966d80d288cf35f6ae8a3ce032d87c3eaf7

SHA256
cd0e132c35396b88d1e1491785c8c260b08ffd14f04cbd066586d26ae3a121bf

SHA512
d8b31c1f04665b87be4147f6884f18179c7ba357e9c7c534a2c2f26b2fbf0052e557ea3cbdbf5c33de0abe0d059be7fff2b5c899a7447ec90f0daedc33f87038

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAwY.exe

Filesize
498KB

MD5
18b42f01f782344184016c6fcb0f7d2a

SHA1
2752c9597f5cbd411d8d35ea98928bf940e94404

SHA256
e6be5b7ac7c4b14a0d509a037050a94d35616d9e9e15310f431e0dc5764a7050

SHA512
27a1459ab9682c551cb05643b499e79d5c27d575f22ada1f8388a9b19e06b7d358a077a0bf7e1f508b85be9f6ed41cd49f644a191fbdac152cbc2b15f2707204

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsUI.exe

Filesize
195KB

MD5
fcc0f8cf2ebc9afca5ada4181dd5b57a

SHA1
6a78c9894230d8e8ac0a3b13b47331c072efc9b7

SHA256
15aad0c24ddaa6ee992c4e2cfd61b4ce3831be3276e08a5919446d2543b81797

SHA512
ec1805e7e8d455ae440b82eb68a0418bb6fdcdcafa8956063ec39aad4b1bfcd3a77e8e4785557897ea1100605078cd5929baf9351f8e95b16ddcb4f96758a727

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_1e6e53ed590499exeexe_JC

Filesize
69KB

MD5
9fd0458edf07010ad194bc2bba6b4ee0

SHA1
ad1fae9444b41577963c40ccbb2fe3f46d3c6206

SHA256
ff10c45357ff22f98d833cbaed59c9ae9ffedd4f4e302717c5324b0aa5a5bc45

SHA512
57e1f6778b202ce4567c42e1855afcee2a4fa848e6d2efc0a1fcaa7f3e03ab127f3de9c4c8111493a5ef9166a27c2947e8973ad88e3f7980e551d8aae14f66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMwk.exe

Filesize
196KB

MD5
9fd4a8ea10bde5dae743e71220de3073

SHA1
aecd04dae91309dc697c491576366a401584a793

SHA256
6e902b4f96a645ec5a9f074cd7c00790da2765089a600ec271a7f2554652527b

SHA512
8d005d668fa370461cfdc0bad083c07b9dbe55b52cead2e789be7ec7df43cf79bb21f69fad68fb27c355c607ce31b7239ab2811a157b0ebd15f4f2877a9280fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgEa.exe

Filesize
306KB

MD5
901752523a52fd96592f8bc2f63ce9cf

SHA1
d48f2626debbe17f9a0546c02015532b89116757

SHA256
8b35c72106286fd6eb0dbfece36350b15e22854d9e42718a08ade11195d027c6

SHA512
94796309ae095a07cbb3029e01bd0edec379fac53c83098f7ce6486e434075aa3705314c0b7f473a7c55590d9d4dbcf448c734239da1de0d971e3997fa751c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgwsQYUk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoIU.exe

Filesize
311KB

MD5
109c373ef9bc559c575379704aa91bea

SHA1
101e27bcc68aa8749528ade7572b0f2a44f17d4b

SHA256
d68c92de2e976688c24fcfc603ff7bf80424548642b7fb738fdac66dfcb95291

SHA512
64abdeca4e68bc533d95fd44b8c5c27c17f37ac1550267ab4f6eb879827b739bbcb40f4fa322e4a99d0edeb0f6ab0c63c66236d88d903d84c7f8b1c7d100872c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMsK.exe

Filesize
190KB

MD5
2fcc7d2d8ed1e26bc9325800b79dd1f8

SHA1
cb9170611cd1670aae060ecf9e30418769195c7d

SHA256
b7803cb265ecb3b63910e3cfc50e0bb1af932642248b2614552dfa93282468f8

SHA512
4e05ee743941d7ef1887c6b63af2c93df3e1c66dd8830e05b1f6245d95f218123bec210b127b99c085b2b9019e6da1cdb39ef8f1f1e520fcd55559045e16fef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUYu.exe

Filesize
209KB

MD5
51a32522ec0ebca6c19b52117cc9e713

SHA1
c1506d3414316f5fea941ab03cfc06ea4136c46c

SHA256
9f8a2a481f0f46fec61fee5077a3fd04a92faa4818daec150523892c3cb2fd17

SHA512
c5d657bf471dff7d80caca1978a32b117f2d801a122a7b7ee065ebf22292b714423446b7ce84279225ba5c94a81ff4809cb74900330043192f27bb95b91f64c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkgU.exe

Filesize
812KB

MD5
9b6245f0ca8cfaf97c99f2a6185f66a4

SHA1
7403abf44d64bcdaca713f57505a61cdc3fed69a

SHA256
96c09612d31a907f568b228623f07d2b5adc22b2e56654ef73cf6b3d7899fa0c

SHA512
ff6ea71fd8a1ed267ff8bf434a80c40b8d42a3062eaefd1c7585d73433c46d8c037fe4559269834d72992060194ed173388fa657bbff12097722b06921e695f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pgsu.exe

Filesize
199KB

MD5
92d70719f30a81836a7b41e62319b3b0

SHA1
04c1f7431472abbce04c4da3fd640e377a485f36

SHA256
b84e8e1ad1370461e47165d6547f4d81bf4069821b485bb1c2a7883e4b4cc746

SHA512
b2511fb6f601e5d6b32f5bc89e343f41d22a7e3323ac2ec616be796716cb810bfacf044dbe45cc2da0282a0f39dbff2452074d0fc58ba7b5b5420ec490a0d070

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkQA.exe

Filesize
214KB

MD5
56887d38045aa7a72ce7f3c43b50010a

SHA1
d077e05ec1e7668ad3eca35a07e106284092b5a5

SHA256
96df2a723e3c9b42483b6fee34a1f645f451651f35ff7589f1363ed5660fe706

SHA512
90ad864a331f4e2a8f193500aa9592529470941938cbaf15ff70dc51173629869b1a3fe51e06b92381f48c99d0873b39a31e7560c3a015196ae08f05bcd69bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmEUUsUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qscu.exe

Filesize
191KB

MD5
b7e9e6bcd8d7a6f4acc52190be8dbbbc

SHA1
6f8e797930831818d4f3544951842c3ac59d21a3

SHA256
43cb10822710444da2c419f47d41b46d449ff6159f661856a2b5b68c8df8af4f

SHA512
a412c31956ea3cefb6d4fadec2cabf3425f88df8f19a57b4e88414fe622cf256214c2286331198533bc8e5b15c52e03d61d4ad831d445bfb70bb6f74c5664b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMMS.exe

Filesize
225KB

MD5
b7cfdd93e398e3f21f2b2fe02fb556f4

SHA1
999730d5aad158caf364adacdc5c639c4587e138

SHA256
aba5398c3749c9e408b23911eb3cb2fcc3b143bf6985f365cc4fa3da4eff1a17

SHA512
18daced8850023aff7884d6b5039c20dbdb906569219ceb6522b2bba23508a6c46bd4c73a1a34326ee2cfc7d105cde073aacd55c1575a81bf2078d6175c3ea27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYIY.exe

Filesize
661KB

MD5
99d8e4405b653398e37f5efb55467ea7

SHA1
123d40165ea41f65c7eee0f01136ca9097213d9c

SHA256
adc753b0f8d6d8d1434d04bc775f6e58a0333ab8e9c2f0ad8ec6c715de5fb92a

SHA512
193b893d48cc01fc2097c4433ccff5758cd2068174ba5bb851508c0165c9c4a585b0b47f9ac39cbd00345133b8d66acc99d69540f858b4e5ced4f093bb5a0980

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsQO.exe

Filesize
817KB

MD5
5a9b1fac4e5c785158f342a69ed8a5e9

SHA1
6b1d41d7e1088995dd8546086a24574e010110e3

SHA256
7baa207d234f42fe1491f8b4389137d9b981eecedec45154f37a394c3b7cd95b

SHA512
d9e68361fef814bd1a9d6f9963d14b2f09ea26bb07dc3ec0ff7c1b4726f54e7124ea6b955766c459f524bb3a69684372c13b30f558d2c5142a8fab7b181fa463

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQsq.exe

Filesize
207KB

MD5
8872a2fa70ed92d3e700eeb77c613bf7

SHA1
88fb87918e2d982357451e0e32e3a4ace8342974

SHA256
ee5e3fcf5285e8d539787dd1a8cdf227a9953959614a1d274b22bbd8f464ad0c

SHA512
feba101fdfb77320e419f891ba251a05f070dec18fdf15aebf051858c01dcdb8a0ecb3fa4ed8461dacce152a2e007e39aae6fd78af1329dde596d460752d65bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tgsc.exe

Filesize
203KB

MD5
25bd1f2991004a263db82eb83eb29344

SHA1
dd38d207a171f5d7231c17de4a5a6043272557fb

SHA256
3469c608b5235e29da6da60e7f5e1050f0ce5f6903f6478714754e9c7dac4eb1

SHA512
f87f60977feb439fc86bf5e095d8b3d22bb6b93c38baaf12ff984fd75a681a1bfdb9b60b2d2f34f8abb8e299261dd44203402ab4417807109995501015f7e908

Download Submit
C:\Users\Admin\AppData\Local\Temp\TksC.exe

Filesize
186KB

MD5
e1a837b5c91049bc7e03163d5956dda6

SHA1
2d5ce084457ff28d757c47ac57a04aac630a853e

SHA256
ac7f5fd9d966069012c4d2f98d519d67c0128007abe3b1eddde84b9052e3c268

SHA512
328bab87854d12ada9e113af26d9b6246ea7583c28df4ad201d41b5dd6b94178d21a9e85fc9bf94dc61a3213fe1f26fb4dcc95b57b6a5b03d52aad076037e19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMwu.exe

Filesize
192KB

MD5
d9f790731c810ec2dd89e4dac1c669f8

SHA1
5312921c16114c4ede365367d9ef6f8f8e348a9c

SHA256
1e8542359596c352328bbbcd31cbb9c15716a14746e6eae79d288ff19c45dbfa

SHA512
23d66ee2e7477b5b8528982e17827737efb590a371c762e4f0a56f18a4baf6578fce2a13894987ac247fdf815b4916ea6b1cd4323123047c9aa39b42bd31fb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQsE.exe

Filesize
202KB

MD5
2ce7e3bb09c39a3f2f2c6b3da6906536

SHA1
ea05f8f6635edda62717ca5cd35692ea8371ed44

SHA256
84bcb2e6b74ff00224a804979a13dc38a793868697e05e5deb17f59d2ad6c71c

SHA512
bda98a9ca96786005e0132394136f2f6c74a86ee4bce66e1b81a787330e170a6b4ab57da2a8b2fd3f0753c55b3ffb57904bbe99b544d33722685e1339b2d4290

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkQg.exe

Filesize
1.7MB

MD5
5d5cb742da5bdf9396b91f5111f3f31a

SHA1
bee5693db635f23407fb2ff777089445e85e7b8e

SHA256
9ba74d50bb0caceb4a94b62600bab85cb7d8e9795a5cd9eed321532454739a16

SHA512
da792349cfcac58c95368581aca22d851aa0faca3e956408a867f4a0d0a4d0c55db6ee500fb7a8b2389410c7b97f2a72bbdaf2b0d4faf59f0ed3c01dbb82e079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uoss.exe

Filesize
918KB

MD5
4b998328ff2c5c42a6795c1e1be7ad54

SHA1
ca0a25ae884e561977fd73dc56d0f27e2eb010b3

SHA256
1784be5af2f337e41d88e82482be8a5c41162676067d556a6d4b0447afa3aee6

SHA512
b4b72e017628cdd2453536965f0507c34268f3a088849e813e44128ee8d4b8531f0970bc7b5d82b934f9afb6a1c93bfd6d074e244aefe96e946bc5a5a7109414

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwsY.exe

Filesize
198KB

MD5
edded34c43b5c58e75ed2982239d7c7f

SHA1
172e4a32f24d8ccfdf2e33bb2e79329c3a7a728f

SHA256
00127ae4ea0af88a51c1630521f0c70cd04758893a5d45561b155fec9ea290c7

SHA512
58d3d1d532257afbb8f71db773039fb9d122fdddd34015f249efa103b4ac8c4b0cd149a81ff0f89773136af508e93595dfcfe2007e7e308b9305c40f5919e1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAsYUQUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAwu.exe

Filesize
667KB

MD5
06258534d91814f7befb3f1040005696

SHA1
59f0edb3e5152276c5a49ffadd9886527bfc05c3

SHA256
26c6a20f673d776da625c84a4e64575efad1cc1d84876740a0388b7d012cc4f9

SHA512
1dfe89a50d20a8fcd926c39924de932f480642778cf0fa44161f76f61576a15b110c8b93ac0fa7d4d8468616325d35de098329863a3ec8eb449a0fb3167d7483

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMEy.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSkEIIkM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSkEIIkM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIki.exe

Filesize
193KB

MD5
97dc6fa40f2847d1c8d373f9ab85d49e

SHA1
e184e94d92a76d690d921ced080c729e2e8c7864

SHA256
a80bbc026cff51f37713d5ce67d7d6bed89196296a38b6b659a4ef524e8dd247

SHA512
d36d43b8215a63300cac55cf46e561e9cba7e8d903188d1adb76b709e19f2cfcfe4b09e4fa9bca381c81855867d4419a2b87fb80b0b8e9a69bdfef1d79aa7b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaUccckE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkoC.ico

Filesize
4KB

MD5
cefe6063e96492b7e3af5eb77e55205e

SHA1
c00b9dbf52dc30f6495ab8a2362c757b56731f32

SHA256
a4c7d4025371988330e931d45e6ee3f68f27c839afa88efa8ade2a247bb683d5

SHA512
2a77c9763535d47218e77d161ded54fa76788e1c2b959b2cda3f170e40a498bf248be2ff88934a02bd01db1d918ca9588ee651fceb78f552136630914a919509

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMMS.exe

Filesize
234KB

MD5
7c0dc7da849682ff2c88011c2d677814

SHA1
fae32354c3124f9c64a09bf73d57d79035b78656

SHA256
d3124cc9a80d1572f6f1b9f7069154fcf00d68828c5406cbf5aff29ddaedf5bb

SHA512
8d43cd2c75f4a6fb9c37006b1fd8d63c5bfd3311e1908baf7a5c22eee8495ad44d80a3e901a263f958825995951bb89fdd926fdd87ff0eae444684d46c2e1563

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgwE.exe

Filesize
589KB

MD5
042f0389057421a72feea7fb1d81c0da

SHA1
70e54d96b6c19f0545d7f1904da90cab7466c3a6

SHA256
ab685f66f783db029a5420d46fd92a316672216fdca41d5d7748d7b4ae965140

SHA512
575d5b157ac9a92761dd31fc0a5377f93346e6f656dc24d104411a90a863bdb18b583c58f58de68a056cad11d4aac34a2d3bf86ad6a6cfc3b25e8774c6a6e74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YiMoIcQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAga.exe

Filesize
181KB

MD5
e392d208a31625c7636bf5670ae39d03

SHA1
44faa0dada3b512f37602869051ba0f876a7eadb

SHA256
d563c688953bb0fdd75f001735873e7728cc2c1f4bf42d49ebdb51958c500828

SHA512
16bd8580593169bd49a0c949372d88eaa6c32979048a540a72169d4af376204083afa98ab34f09cac73618c2ac392b343429aadda63c875b12695533b3bbf74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIoW.exe

Filesize
187KB

MD5
625852d403885c3214481b55cb72598a

SHA1
a97bdf25a812524ffb9842e18185e1ca07c59cda

SHA256
ac00477cd9d19d0cd7e8e87771201a5443e53a9b47abe8b4b748f7698f3184a1

SHA512
3ceb8c726201a8af14e2b6aee903deb75ef316521f8ed784d0bed4596e71e6cd92e806c799c48a211b46066fd243e2b7fcf626bfe67f12e5f6efcdadb014a98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMIK.exe

Filesize
208KB

MD5
e34c024c8562e78bace9c41c978926fd

SHA1
b11a62d56c9943eb7f699e67609b46216cb43703

SHA256
26410854ebb9e02586f2ab7d184d462c74adfc0039811cb89aaee7b39f22223e

SHA512
2898e49243952cbee746ec3c57e21a8e1fa3dafab1af4e07ae8730232bc2b658d6a5e3bd4f333e7ccf81b430f897df0cbbe68842296a21fe0d05c36f16611bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkYskAcA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMUS.exe

Filesize
212KB

MD5
1ae0d378d2170c51cd0bca643019077c

SHA1
dea23e087cb07a3dbe1a26f343dfad0b088b031a

SHA256
069ac35be6586a4e6e709fadb4eda19d80e1f8acc524dbe886ff7d645d2bf31b

SHA512
0816c3dc3abbfa793bfdd2c74a59a5d69e92cad066e17ed225c9fdb073296de3b297a8fd0379c13f47d9f5336ede06f42a9afb486e1592608abe03c495b89265

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUUa.exe

Filesize
770KB

MD5
c0eade3c4add050bd3633a3b84cbbaab

SHA1
56299252dc81ce795a1249be0cf03354c13b0fd8

SHA256
a9f9e75f8dbea424600c2efd27f28da49fcfb6fa4693a7cd36f5428bde983393

SHA512
5e6d78fae5a6415dd847a8337a078e05ff3eb86252d689ce5ca5c56ab9a9fe29b68cfcf977166c7bfe41dd7968bde1d0802759daf79452f6693e40fde03dae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAoI.exe

Filesize
210KB

MD5
ef2c13d16952823135da2bdec882e8b0

SHA1
9bb110f960aaf45721f63d6b89afacab88f0d743

SHA256
13081aa14019df379781aada4966bcd60228f83bfbdf4c65f5c1e02ce9cf48c1

SHA512
d701ba2ac15dd729791439a701c5bc04d6989f07cf7d09cfd40ba65e7111684a8204f34d4cfdbdcd423e66426df95d1b34933a74a2d7eba2dac3c225417b068d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIwM.exe

Filesize
244KB

MD5
3e60b954c218965cb3bece141f34b986

SHA1
b0821201377983b7f419098981985a63f655b860

SHA256
bbcba3da59036b50ee6a217c197401dcda4f33994db38344509fd51e606993fb

SHA512
c11ced4c96d9da0331d41c1f6b92f9aca2698eb3a05699190fb7bb980d96f7dd3adfb1122053555ca2973fc4ceb3dbdc0c453a4756934749c8195e36838c2e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYcK.exe

Filesize
199KB

MD5
b95791fbd504421448e97a67616a087e

SHA1
4a32b105ffd6a39076303e07df85fe3d2ff9acaa

SHA256
60aaca7a7becff379591d602d242fb4f97f176ccfc99cb69b8b6efc437461d18

SHA512
81438d5e6770113991173d93099ff6e392cc0e0ada50b9a03fb9c61495013b74df5a3b449dd3b5c5b73d08807f45865fcca6716a974f6cd6c6f545fffaeb51d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcYEscEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMg.exe

Filesize
191KB

MD5
65ddf0cb00d07ea3ada3d2cbe8339098

SHA1
b18db708ef13c8c78c68be94eaf4ce122c2dee76

SHA256
174506212def0d21754eae245703aa8dba1e8b51003c08bff5037f97511e8c42

SHA512
7dabdffb605dfd386eb293f7506e52c71fcbf8872f64729e18037dac1d1f77b48fa7620f9e1b193fa22796c5635e6134b584cec0e2210c0ad0597af1109ace21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckYK.exe

Filesize
192KB

MD5
0799742096d386e9ee465e44be88dc2e

SHA1
b0710d458f9660340ff99adbcb5f4c79038cbc0c

SHA256
c5dce6833d0881c8fdd2d327a6f514af16f0bff4cc4f9fcdd8e7008cc2895a60

SHA512
420d0a2de5da511bb79cf52b29b4d5716b47873507e93cbac6e802c4fe9a78e109e4882d8117ef5e6e1229dc8b854a761835418341775e04e1ddaccf03fa1e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckoG.exe

Filesize
199KB

MD5
f31372f9b8b6b5362f3b660bf1dd9362

SHA1
7b0169edc998f068d9ae2aa48786114b38f02d78

SHA256
9887f4b9aa5eebc00453afb7692d493d412c795323a1a5360fe19a4bb06d4791

SHA512
893aaf8433984730d3bc7bbc67ecd712dac34d5ac6c3dcc5bb754290e46ba1d2ff3b23e914d9db7475fd8945320f4f7b631d8c4ef832f3280a9374fb1c00f1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\coEy.exe

Filesize
194KB

MD5
a6a45dc1e4449a996f7a7e8382e9b3f3

SHA1
549e164cc8c31a51043ff27317b4613013d073bf

SHA256
99a1efd9db9d52b51d260b5b9ecadc92edb961e5889352501f847553f461dab8

SHA512
94912346e7c15a889afc81c1c4037c27afb264abdb6d4815002c4bb38f86bcc5310b404361dd20c19ff6d45743f16bf5ff2bb3a53bb1eed27a92ebf9e1d76b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\csQG.exe

Filesize
427KB

MD5
ec35aa94abe451642150bdd9c36436e5

SHA1
88982772c63d36170f35c681fe4fd8d584de5579

SHA256
49ac0b5e06519ebb2a218ad6ecd0a03b476f3c81730fb3ac90664fb59793c958

SHA512
0e6fcba2a7f03279ae9bf0bff49eb20003b7d32b106c0fe4a630cf8e96c5b8ff083fa0075cb58d3d5627c351a33e05c369fe0db47a813117cc5ea9a53299d1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAsc.exe

Filesize
629KB

MD5
267858b89a240651b48f037355b78f9b

SHA1
b2640fb232ea5e1f1d413a3ddb07263ecbf81326

SHA256
3d31e6562708229742f77dddb9db1181c8376ce81769cce51fb48acb63294896

SHA512
137a1bc9353cd84ed980661926e9b291457b637c4389027e3851ca9b363354856d282143b80adcc56f0b46923333daf5073937e27d729412a4dd72ce7027cc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMc.exe

Filesize
223KB

MD5
21111b1367e9aa0c452ebc96f358cf8c

SHA1
efc2710b7682888d9dcc58f6c728332eacf78d62

SHA256
30bfebc12e9128084815c9ebdaaad8cf43abdc2104b40949523bd3a59816a915

SHA512
c36a5ff6d0dacd2eee6240ac014cc7179a88d0f3746102f46fa94f4f4e6a6d70d12225718c02d6fdc06218955740868883c2b4f002ff63edbb0a767357f64b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewEq.exe

Filesize
312KB

MD5
99e9dd032d6de0b98a1bdf8218028749

SHA1
0e116726541d6afc187715684e9ed3cbecf1287d

SHA256
9f20c1247ac0cac1071e288dff872d0d079f3dbb54fa05e997354006060a2577

SHA512
52ad88dba9ba943ba59f65b369926010514263afced498b0c6775a2b31db3f55774cbab4af2e694b1d1efecd39d47d97d733faa73906f445eed2e34ccaf7f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAQm.exe

Filesize
322KB

MD5
429f637c5dc370f71a88f2f713cabf9b

SHA1
ac3b123946d8bb7a28cf7d13910c6e8a05ddc683

SHA256
851f36c97d06ef0ac86dc56f2784a13f7905f9dc2f76224d39fd7d9e86ab76a1

SHA512
23b4e4260366090965f3b4ad0ba902ff6109c84828f2d8316a6638c53c154312dfc471e399baa6394c18d89374be9de44a6630409fa167ecd5a57dc8c9cf0fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgok.exe

Filesize
203KB

MD5
c8f8cf842bc88b45cdc13cc258b2b1b3

SHA1
7ec92056c1bfe0875968288d64ab22d5f33be793

SHA256
83a4fd7e064bad86393bc0e7e01caf19589d4844c0817e6bac4892800a3c8008

SHA512
3d03719bba3fb6adc0abdacbacd669c1449e58fb8a312138ccf3176019cc52eb4a407b13148c8236f3f05a4ca1a6e5395ee36a996d7b908e8a8fcaa173b2bd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\foEi.exe

Filesize
180KB

MD5
ce0fae3b72545e29d1c86ad493ccad5b

SHA1
34e1c071d6d67d696ba8cbcf34faa88604286670

SHA256
780016011cd9dcdbc968389fa55ee627a1f4c7b8d50bd92d15459ebe017e398e

SHA512
a4b46643f9e9b15714bd749d9b71e231a0a876f336bd65d3fa7e657ed19eeb819cd2be2c3f6d25826602a85ddb123cd41e6ee1a4344b3b71cad585c4a6e2893a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkUC.exe

Filesize
212KB

MD5
f8a18cba29e3584974435f1da05f1595

SHA1
6955114f7929271104f0f19089c7ca55e23a6a10

SHA256
47a5dc73a2940559080eaf4b81cb67b9bec8ec68cc58f69037d880d10faa5b30

SHA512
3a771b87386ca915de061c6ed2734760b60e2f3b1a57469ba5d24d2729f86665cdb6631d5c9209da91675be5f8737ace8e2134a4e8ab8553e65a0c63d8911f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIok.exe

Filesize
5.9MB

MD5
ea7f27a0f2def432e5aef219c6e65d73

SHA1
0d77100235df685f52d1fe2f3b9a81cd23f700a1

SHA256
aa85f3d853dbd75a426bf6c26b271248bc3177e30b9fdb57f6d4789ecd34c30a

SHA512
ccaf381c4eb0a58a2a17ba65e07842b3f7486f54b62ce0aea6b223f2537bf5c679470ed60fc6939e0b60d35e3e89da39932c819312b9aab900ad507dfd7e3cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQcQYgIY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hQoi.exe

Filesize
194KB

MD5
21e9672f46575e501eccb03edb427925

SHA1
bfdc48cca36c963b276d37d873bda493b3b80c26

SHA256
c2faa912d3257aa9be46c679b40f7b96292ab1071c65885fe2d7602f50be3494

SHA512
ca05c5f7c21f3af8db03a84a8c19bd42f6638731267cfbd96c78e493b87a0e6485fe1b26a0269a927c29f767ea06d707644f8a16907cb00a171736be01ce50d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEoY.exe

Filesize
818KB

MD5
942c85846a859d71370657f2c7c079a2

SHA1
bb02c9319d531b15805d0dbc3c2b7d8c74f72517

SHA256
5ef4ec12c7c1afd575e28f83998a8a94405f524379ea252118878bf8bd9aedb8

SHA512
c4092060cb46360484dcc183623e7decd301631f575ae98b7bf601cf11c7a302b583dd9616a369ae8de5e8fb19ff59f38a55fff7302748c2c39be223d05c58bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYse.exe

Filesize
211KB

MD5
cf54cadeccc8b2846d8c2b1623ae9282

SHA1
375defa95260ef525a7d4f72fa48a06eb44fd800

SHA256
3031dc24e7543283434a78e96f7dda129d2f80d71e50bcae5d26c73eb8c22a2f

SHA512
ff962d296226db3e7413262fb91c961e3ffa046265ae778ef0e155f1ea76de5ea2a510db644e6fbaa063d1a526440a75eb7cae3582d74d86054ff289876f8068

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMAq.exe

Filesize
196KB

MD5
103d54e9374ee2f8ad96d9d5ef1a7552

SHA1
62afd790075ee9b63ee1d61c0477c3e3cd5fab76

SHA256
afbd1dc4f55089044bee2eb9a6afa0531e2792012061da9cd3bfc1a8cea868f9

SHA512
f52bab21d36c05492743787a74ec1f03fa8a20930ccbef2498c44c878273a0c9de6c8120ba388a596620d6acb7d3e5ec10b480ff75b119e69e088246ff32ce7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgwm.exe

Filesize
185KB

MD5
ce6261ca55db434d5ab1e5004bdfc7e7

SHA1
004b28ab444ee76082a63b8003a3816426bfd710

SHA256
2a48d1dc734a5b3ae9fadfb70762ddb9b42604b581c085ec3fa2a234ab1893c6

SHA512
219eb5a7936ba3b5b13eb54acbbf02c4b86e4284e6431b00e93ad0051ee5fe5fd2365252f37ce3bb06cc8db750d6b4a5b06d8eb6946d023a0f58e4538612753c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jowIIIoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUwE.exe

Filesize
388KB

MD5
429cf9192bd7daad3217505f922b92e6

SHA1
7c8e72290b9172e14f2226dffa799abb4606d19d

SHA256
ef9d982e70525aa64c7bdcdd86ae36ee7f5863812b1d618b06217b14e5c2d3fa

SHA512
9167fa35646e24268d7994e5abe1533f75100e6e33be755fe5c2828a43f749fc071802b053e23865997e551b6d6b3871ce2dda790d765a4ceedf9a5f5b6e0a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcga.exe

Filesize
187KB

MD5
8e1c858a61ad2da6ad9c41ba5765e24f

SHA1
d4f88ac7294f97d0661880623f9ac590ac4359d0

SHA256
ded5b82da150793004a234f60d9d44d6a4abd8ef68281648a3228e42164b3b8f

SHA512
2ff664f1f5659a8e135ce6aecc492ca98297d56b3e2d6afcdf8a161963c303e5ed7bd872c404334538d19e8fdd023801ba73ee0ca147a088c86f7be6c242cf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIQEIkE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMoa.exe

Filesize
188KB

MD5
1f5936f62281d0fafb1200844d068126

SHA1
83e2d592213bace570fa65133c8a048378ef845a

SHA256
35014ffe615b5776271ae0fc28e466e420153df5da7c2a0d6fce71a8e3cc6cb9

SHA512
a92fd9e9e1e0687f34a28b5fd92adcb22d93a11ed50f23e8aae469666bf0399987fe5e28144416c873798df123aefa8f8c94de3c51f8142cb59e398aa38baef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUEEQMss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKkYEUAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQcq.exe

Filesize
198KB

MD5
8eab5b0d1cfc5a85656cf50f2d8c91d3

SHA1
d282abd9c94247d2d78c7a7132da363559a12678

SHA256
0008b1d26a1805f8ac7b79f4bff221ecb8fd7fdc5d41a43c2adef269b99fd880

SHA512
d43d94e5b3398093b4b46d8da54979ce1dd2ae413a9f8f61437a49888f46ba44d15752b3426ca1b6959abb30647717ad3b923494ae0d70edf8a2cf0f237917c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSQkwUEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\okcC.exe

Filesize
204KB

MD5
57df9c41f994150b37d573c60263aeb1

SHA1
4bbfbed10ce555f114b2d754f773ce564e3e34a0

SHA256
7df8f917c97416ed45467c92962e27c575bc362e3cc59907743098abc47158de

SHA512
a014be072b9b941dc599e1f827f33dc4add656cb5fa6e5ca10e247af9fc2aea484b036ac4b13c8e6777b6c4c399c7bc28b0bb91770e6f078884752e2370f9597

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooUq.exe

Filesize
212KB

MD5
83169cc9a45a2ca8bacc7fdbbcecf92f

SHA1
154a92d4e26579e134edeff6713eef10b386e0bd

SHA256
d7747ad9679b82711d8d12752c455240ed2d44fe3f828264997e39b3844d24ba

SHA512
c86803dd07d4ee3703dede192c04753a53c6ebc70ea993a237a7788eb98110a001ae32306de9ff33d251511c5e989349b6bd31c9b67a540d25e798259283fe2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUgoEYkk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgwu.exe

Filesize
205KB

MD5
4973c07dac253b818192d817ceb3fea6

SHA1
63f80359505a5ca60518f38245863fdeecf85966

SHA256
47de597835ca4cad3856b7e84f992578797b06ab42af4063b876c7deb92d6aca

SHA512
cd057bc95ea52c54b738c0b3fd5a7b55caeeb1f0374852c8e2e2535122156fccdf329c3af2027f97ada3d4bb4a4ff298dd739f777b3691b1a2c330c660dc0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwAS.exe

Filesize
212KB

MD5
563834cdf77263f793f2b2b12bc1587f

SHA1
77d3d5e7e69b033641a81d0eecc0bf4137cc7272

SHA256
064dfa0cadd77d95b4ccef70503daf5bda8775a494992140e4fde996d73a17dc

SHA512
81e25f18630a2d0ad306b47cb617acf0bb24ff51fa99a4d0d872630f099d8d81caac7e045e3a6c4ef6591e473f3a867f28e04f6254b719176993409d707faf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUYm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIA.exe

Filesize
820KB

MD5
c2f141f7b5440730a772b5b557bdc5ee

SHA1
04a6d99020265cbdc59d438f5c0f916615279146

SHA256
b68362249a983b2517b4840084948a75427b8a0a32c6798c595f1540a2aa83d7

SHA512
9c036a6fbc2e968301048da2500c2e15822293d7f70bfb062346465d76e32d5f50ac4fad6ed8bd0c565c10bd089676c0ef77305d5d369551441c9a0010836d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcYG.exe

Filesize
5.9MB

MD5
262f6b1168dba576bf705e798cff765b

SHA1
0c5ee8d0dc3d4a967ef2e8de93f6c5ff25bbbe7d

SHA256
ec58624f0369be600077e1d47815458fcf2c136dd8281b7e028f43b4e99da5f2

SHA512
355dd25979779d78d4a0c2d589156128177702122892e61a6ee32323b73f215537f55f8cc2def4c15ff5098292dd73c32ed5ae0b3b46bba59e809106c5517ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rccE.exe

Filesize
185KB

MD5
a1f3c4eb1283dd42646aa0b90350acac

SHA1
331a4b5f543ff286898eea2228fe4b299525ff9a

SHA256
5846835ecfc347378103c570c1fc113ffc06db859153038cbf3e5a7dad32573d

SHA512
158b86bc1de9cd9cd75afc0a843746768856ad448151fb0df19f933e382bb73777ea13455c2fefd5c31da8246a2c17de954337e2366b5cba9241fcb07496d1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAMG.exe

Filesize
228KB

MD5
7249652d139698e10ced440a88bf60b6

SHA1
b1cac99b4c1e3935702215537f714a0f5971f757

SHA256
4e46ccfa6fdb0060805c014764462ae334b8fdf6355b238f2a1d0e552372fd31

SHA512
c11935ee0f41d09049e497da9ca6aa5161f9d1d76b660cbc75ef6d5e2e97905c6d57a06e03e7f40b1fce192b2f9393e6e524cdfb73d094bcfebed00ca3dd4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEkI.exe

Filesize
192KB

MD5
5205f53bcd030d9eb33e8e91a53efc52

SHA1
5b671fca7c893d4e38af044fcd36a27ae3937a6d

SHA256
ddbc8b03b158fa6d9db8decda48ede91939be9b85d144b387cb4226eda8c32ca

SHA512
75f1aaef9171be46aeaedf30464a9ad0082f66e45815ba22a558f1b4263ddb3c4e5589dc179605136eafb35c2f374eca52b95e1aeb0a83e3a6b68edb8c4ab01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQUO.exe

Filesize
240KB

MD5
f070cf7cc630cdf4207921959b36a245

SHA1
d0540c282c305f780ba60a63e8498ce1885e87b0

SHA256
c3a59ff1705ebff0aebe391ad10ed25f171f29bb78efeaa8b5937375b1bfb65e

SHA512
4bac4638674cca630b6303ce93d1bfecf0a8bdc291da32efaba59abb3d326b2c6e37927011cae1007254fc717605f91d47229c2e3ed038650bf224f9599a3319

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQUU.exe

Filesize
200KB

MD5
6731bd3e00c09a2b966d270b95c93703

SHA1
2538751383bfc78d056ef5fdcc572c4ba75c6cb4

SHA256
ae60bc37769ab7e828905444a7c0519280c184056ea626448719a1ace38b0057

SHA512
81cd4729e4de5315105098da003a00c8f332d60c4d6465b1b01b8bebddc010ee26fb4abcd9372f2eee6705cafa0015897ae378d0dbc9122852a2e6d8618da34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMcU.exe

Filesize
210KB

MD5
1359d2a0e77c5f4c38bd80ff1aab4cce

SHA1
9ec0ecdf222ba6dbecd1393a0e436b098aa4fc5b

SHA256
1d96e87aaa793611a3c79361ff46d4d8eec73a5b1df7a52e7b03bd824fc18240

SHA512
3c5c28c20820f58f20496eca5e755ff98a49ae91777046acf225446a72d1e7e763d9e72fe168c663fb9b9c2920cd6995153b742f3896cd890f4d656039bf1ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYcW.exe

Filesize
193KB

MD5
0f41a09740b57926f35c6e861626d0ee

SHA1
dadc6698a3b7c2f506679b53c5307b028136a0dc

SHA256
eed26ae6689309867e77edad337cdd5f800dd5eda1fb286f9c1c145f1fb29859

SHA512
7dba62b5811e86635997445514b3edc4811f7785dcb871c63d0ffba8c780152d1d450760f0720370a5bc729c95232034a3086a8c66af829040c5aba23d9788f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcEY.exe

Filesize
207KB

MD5
85cd38b34dd743a3780499891902244c

SHA1
f263f0b9b81fe6e8ea066609dd578747c3ef8300

SHA256
72c5c1c021b3b5c501a9021daf675303da8856af8c103916825a77a776b2bf5d

SHA512
424fb00ebadedac78983fbbea000db2c7b8e29ad4531b8def4a81a861b5fc1e85b84b78d22f7cb82671afdea0152629b1b9196d2bdf921a7de5e35f805eb96b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsMW.exe

Filesize
802KB

MD5
b3399ca1b3ba6ba8bf199bcb029a0c14

SHA1
770aa90321b23178e04c38227451210594bce04e

SHA256
be6b178ded4f25efb5ab47fd4cf67d43691ad094b16341be7defbabce93b86a0

SHA512
9980ae52ca09b49ea29c51c9b8b68f68c44018761d7600ffaa5fbd0c1215c4908bdaba4aa198634f467e72dfbef05ea7736403fb9e3915b8c5d9ad339a9fc41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAsm.exe

Filesize
316KB

MD5
150a0cea6f3a75804c4da16d865090cd

SHA1
046cfef57af5e6372cd35c2d7f0e79c3b9c90c9f

SHA256
53d83be30b5a1dc8447bcac66b54ae346b62180039373ebe8df28def73135f6c

SHA512
95c13bc8c5c0f8b47011a7b0d049a921487af12fad7207f479545c6580d375db341597b663123743567683deb71f6b42baedeab04f972c0d0a5cd4c6ddfbce2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOQckooI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcsa.exe

Filesize
220KB

MD5
f69663d4859c937dc41e87270707d385

SHA1
4fa047de485c6a943f4dcf6142eebc89f45c8ab3

SHA256
d9eb10e4023f597fb4119e23226d3936abb837fe5de88917d08e6e2ffd22e555

SHA512
1ea7ae403821c870b76079eca9f54795f14f3b40618bfa813669ded57e83d8f0261fa6aba6609c0403ca302a159083e63c8256000eb48dbdbdbecec2b708fda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgUe.exe

Filesize
787KB

MD5
8887142c72797588ece6e9ce3bd964d3

SHA1
ee76855173fe57b01c9bd083e447cea4faff54c9

SHA256
8a0b30f87822c44070f4c279423962d5168350a06c8bf071bd46def5a3f3b1d9

SHA512
ac174d3ed2e44e2a562a429fcb85c398d4c3302eaf4c2bc03d649abb930bf86de02ba726153c1c640a92760d3121937921c535f2e88f7b1a4481c3571f616e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMMI.exe

Filesize
710KB

MD5
949a8ed18dc7892ce132f04aa84dbda7

SHA1
324fbf87fe082abf1f8501e3d2712bd3ec6a0786

SHA256
123a2b53fe641af66ed3af3624725dd2da4a89dcd0de5997aac24ac9b62be055

SHA512
c5f43e601a2506ff73210751b0ab98f0fb9103e858325909e3cc8d454412db2ecd4bc96f06278ca3ff6e46de922bf90c63dfd5b69e62f5d89a6bf1f03a26f8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMoo.exe

Filesize
635KB

MD5
817a0918d0e507a72d7ff884858a4ff8

SHA1
551e200d4397c3540ddc42ec7e90f03661b55568

SHA256
0979413c3a8ffbcd84222da2b9c4653970b40d0779676e627ef47eb9940841bb

SHA512
0fcc84bb4923b6e24d421558c0a99f7f7c6eb524295bf718f0999b0773daa3662bad1a6f8da4dfe572b79d144862219b43493909bccec2481728656059630850

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycEc.exe

Filesize
307KB

MD5
af18799bc004198e8a7200d4d74f391c

SHA1
f5f107a9460c563957de9b3bb633e9be405f55aa

SHA256
a080a819897683e858739240cdf9fba1bca8d4e1178737980a8404b31f83319f

SHA512
3660c14bbec0273dd767b96bce8dcbd456580ff9f0e424f518784a2684f46f2d99cce6ca4d281534063202a7d0fa55b32ae1b509648d0822dff71501f479db73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygUs.exe

Filesize
5.3MB

MD5
c3423e07659ca525e2e2fc4230b83ebd

SHA1
24ca32364da5849b95eba933de3da25b88330a04

SHA256
f412db186274b41e0aed4644e630abc69dde60b45c74cc48021e5dac7b443fc9

SHA512
e7d1d0bfe957469f222a83768b180c998020f4555d8610348d3eb565dd31b573faa802e1cdbd7db5eb10f1e84f01a2836dc83a925d2eeb1d4b3f588d60b21753

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeAAAAgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zocgwQYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\bGsskEUs\rsYckgUM.exe

Filesize
180KB

MD5
f3f3ecf92f7b85d984c6d74e12d7c579

SHA1
c269786f1432b992c7365425f4f6afbae891f553

SHA256
eab3392a92b4e78dc66f18725d9781894157172b8b281f4684e5da7acd9edfa1

SHA512
55a566892076ea114e53d99d88ac0dda14f4bfcf5e33a10f9ba20837014d37b2902f2b62f7d8ce65c55335adcf81150baa6a93034e70fde1d8af15fa9647c9e8

Download Submit
C:\Users\Admin\bGsskEUs\rsYckgUM.exe

Filesize
180KB

MD5
f3f3ecf92f7b85d984c6d74e12d7c579

SHA1
c269786f1432b992c7365425f4f6afbae891f553

SHA256
eab3392a92b4e78dc66f18725d9781894157172b8b281f4684e5da7acd9edfa1

SHA512
55a566892076ea114e53d99d88ac0dda14f4bfcf5e33a10f9ba20837014d37b2902f2b62f7d8ce65c55335adcf81150baa6a93034e70fde1d8af15fa9647c9e8

Download Submit
C:\Users\Admin\bGsskEUs\rsYckgUM.inf

Filesize
4B

MD5
9f8b7bb245d0d9fc20bfa64df01197ee

SHA1
749271b18712ff0946768d6364c45fbab043a08b

SHA256
b0f7ed7a141656c6854287f826bf973abaa5a2505efbec2afbfd840c05505e38

SHA512
8432b2b1e12b006ece0025b9d8788949dbcd6c53090c8f1d58b522e7681d4d8edc3e1c12cbadf87b09078202b231a42d8c76e443dcfd6fc2d8ae69236ffd5bd0

Download Submit
C:\Users\Admin\bGsskEUs\rsYckgUM.inf

Filesize
4B

MD5
d190213c105446f2c6425969d36ce6b3

SHA1
69c7944d8ddf4e7d5fddf3b201cfd8cb92e527a9

SHA256
c880b44586bbb36d28f7f5642d9fee62ad6c96d156f7c65d363a95f8dab2e0c6

SHA512
8bb329ee7bd450066c1cf46e5f84f8e142184f9ba2aecf4eb8ede3b7bd3b985613088ce313d841f0f48a2bb9e7d7bec0a2e29d068e963ffed8e96dc9bc0dc927

Download Submit
memory/496-543-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/804-535-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1264-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1312-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1412-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-148-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1764-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-605-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-615-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1892-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2384-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2424-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-624-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2800-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3160-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-190-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3700-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-625-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4128-617-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4208-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-629-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-214-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-517-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-604-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download