791d938d75f1d1e06a8da90ff76effcbe1119d01be7c71f904fede5923040a63

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

910f21b7a3e10ae0c325da6b4c5aec10.exe
Size

193KB
MD5

910f21b7a3e10ae0c325da6b4c5aec10
SHA1

01707472c49e3d341a85fea765e82c2e29d07f0d
SHA256

791d938d75f1d1e06a8da90ff76effcbe1119d01be7c71f904fede5923040a63
SHA512

17dd50eeca787ae0eabf1bbbfecd4fb5d99104533cc381f0b9cee3a83a10e30ae7039bfc6ab2407abef6c1a721ae532b74d4d46d26983c4948a86e3934f24ed4
SSDEEP

3072:8qFNz7Kfugjgeprk/3aAInd+frfFd1HHYR744KGP1sobJunTbTpCGuGI/2yW7LTQ:TNIdc3Cd+tMi3K6vV1Zlyk0tOBHW

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	910f21b7a3e10ae0c325da6b4c5aec10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wmiprvse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	910f21b7a3e10ae0c325da6b4c5aec10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mousocoreworker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	JSwAIcEY.exe

Executes dropped EXE 2 IoCs

pid	Process
3652	JSwAIcEY.exe
3308	WUIgMMQk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WUIgMMQk.exe = "C:\\ProgramData\\lIIAEQAQ\\WUIgMMQk.exe"	910f21b7a3e10ae0c325da6b4c5aec10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JSwAIcEY.exe = "C:\\Users\\Admin\\TwUcgQcU\\JSwAIcEY.exe"	JSwAIcEY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WUIgMMQk.exe = "C:\\ProgramData\\lIIAEQAQ\\WUIgMMQk.exe"	WUIgMMQk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JSwAIcEY.exe = "C:\\Users\\Admin\\TwUcgQcU\\JSwAIcEY.exe"	910f21b7a3e10ae0c325da6b4c5aec10.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	910f21b7a3e10ae0c325da6b4c5aec10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	910f21b7a3e10ae0c325da6b4c5aec10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	910f21b7a3e10ae0c325da6b4c5aec10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	910f21b7a3e10ae0c325da6b4c5aec10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	JSwAIcEY.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	JSwAIcEY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1300	reg.exe
4520	reg.exe
1276	reg.exe
4136	reg.exe
784	reg.exe
2896	reg.exe
1464	reg.exe
368	reg.exe
412	Process not Found
4520	Process not Found
1300	Process not Found
1536	reg.exe
3924	Process not Found
4660	Process not Found
1276	Process not Found
1388	reg.exe
3200	reg.exe
3424	reg.exe
3596	reg.exe
1624	reg.exe
4908	reg.exe
2344	reg.exe
3912	Process not Found
2388	reg.exe
3756	reg.exe
3548	Process not Found
3668	Process not Found
228	reg.exe
3832	reg.exe
4740	Process not Found
3128	reg.exe
3344	reg.exe
3924	reg.exe
564	reg.exe
1204	reg.exe
5008	Process not Found
2720	reg.exe
1268	reg.exe
5032	reg.exe
464	reg.exe
4112	reg.exe
3512	reg.exe
3732	reg.exe
868	reg.exe
3436	reg.exe
2720	reg.exe
3100	reg.exe
5032	reg.exe
4236	reg.exe
4068	reg.exe
2020	Process not Found
1968	reg.exe
3512	Process not Found
4764	Process not Found
2976	Process not Found
4864	reg.exe
3484	reg.exe
3200	reg.exe
1096	reg.exe
2380	Process not Found
4136	Process not Found
2304	reg.exe
4136	reg.exe
1856	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	910f21b7a3e10ae0c325da6b4c5aec10.exe
4480	910f21b7a3e10ae0c325da6b4c5aec10.exe
4480	910f21b7a3e10ae0c325da6b4c5aec10.exe
4480	910f21b7a3e10ae0c325da6b4c5aec10.exe
5064	910f21b7a3e10ae0c325da6b4c5aec10.exe
5064	910f21b7a3e10ae0c325da6b4c5aec10.exe
5064	910f21b7a3e10ae0c325da6b4c5aec10.exe
5064	910f21b7a3e10ae0c325da6b4c5aec10.exe
3956	Process not Found
3956	Process not Found
3956	Process not Found
3956	Process not Found
1396	910f21b7a3e10ae0c325da6b4c5aec10.exe
1396	910f21b7a3e10ae0c325da6b4c5aec10.exe
1396	910f21b7a3e10ae0c325da6b4c5aec10.exe
1396	910f21b7a3e10ae0c325da6b4c5aec10.exe
4740	910f21b7a3e10ae0c325da6b4c5aec10.exe
4740	910f21b7a3e10ae0c325da6b4c5aec10.exe
4740	910f21b7a3e10ae0c325da6b4c5aec10.exe
4740	910f21b7a3e10ae0c325da6b4c5aec10.exe
3732	910f21b7a3e10ae0c325da6b4c5aec10.exe
3732	910f21b7a3e10ae0c325da6b4c5aec10.exe
3732	910f21b7a3e10ae0c325da6b4c5aec10.exe
3732	910f21b7a3e10ae0c325da6b4c5aec10.exe
4360	reg.exe
4360	reg.exe
4360	reg.exe
4360	reg.exe
3036	910f21b7a3e10ae0c325da6b4c5aec10.exe
3036	910f21b7a3e10ae0c325da6b4c5aec10.exe
3036	910f21b7a3e10ae0c325da6b4c5aec10.exe
3036	910f21b7a3e10ae0c325da6b4c5aec10.exe
4312	910f21b7a3e10ae0c325da6b4c5aec10.exe
4312	910f21b7a3e10ae0c325da6b4c5aec10.exe
4312	910f21b7a3e10ae0c325da6b4c5aec10.exe
4312	910f21b7a3e10ae0c325da6b4c5aec10.exe
4692	Conhost.exe
4692	Conhost.exe
4692	Conhost.exe
4692	Conhost.exe
2164	910f21b7a3e10ae0c325da6b4c5aec10.exe
2164	910f21b7a3e10ae0c325da6b4c5aec10.exe
2164	910f21b7a3e10ae0c325da6b4c5aec10.exe
2164	910f21b7a3e10ae0c325da6b4c5aec10.exe
1172	cscript.exe
1172	cscript.exe
1172	cscript.exe
1172	cscript.exe
2380	910f21b7a3e10ae0c325da6b4c5aec10.exe
2380	910f21b7a3e10ae0c325da6b4c5aec10.exe
2380	910f21b7a3e10ae0c325da6b4c5aec10.exe
2380	910f21b7a3e10ae0c325da6b4c5aec10.exe
5064	Conhost.exe
5064	Conhost.exe
5064	Conhost.exe
5064	Conhost.exe
5032	cmd.exe
5032	cmd.exe
5032	cmd.exe
5032	cmd.exe
3656	Conhost.exe
3656	Conhost.exe
3656	Conhost.exe
3656	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3652	JSwAIcEY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe
3652	JSwAIcEY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 3652	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	90
PID 4480 wrote to memory of 3652	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	90
PID 4480 wrote to memory of 3652	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	90
PID 4480 wrote to memory of 3308	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	92
PID 4480 wrote to memory of 3308	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	92
PID 4480 wrote to memory of 3308	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	92
PID 4480 wrote to memory of 1504	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	91
PID 4480 wrote to memory of 1504	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	91
PID 4480 wrote to memory of 1504	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	91
PID 4480 wrote to memory of 1960	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	258
PID 4480 wrote to memory of 1960	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	258
PID 4480 wrote to memory of 1960	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	258
PID 4480 wrote to memory of 436	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	397
PID 4480 wrote to memory of 436	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	397
PID 4480 wrote to memory of 436	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	397
PID 4480 wrote to memory of 3324	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	414
PID 4480 wrote to memory of 3324	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	414
PID 4480 wrote to memory of 3324	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	414
PID 4480 wrote to memory of 1388	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	204
PID 4480 wrote to memory of 1388	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	204
PID 4480 wrote to memory of 1388	4480	910f21b7a3e10ae0c325da6b4c5aec10.exe	204
PID 1504 wrote to memory of 5064	1504	cmd.exe	240
PID 1504 wrote to memory of 5064	1504	cmd.exe	240
PID 1504 wrote to memory of 5064	1504	cmd.exe	240
PID 1388 wrote to memory of 4892	1388	cmd.exe	287
PID 1388 wrote to memory of 4892	1388	cmd.exe	287
PID 1388 wrote to memory of 4892	1388	cmd.exe	287
PID 5064 wrote to memory of 4768	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	284
PID 5064 wrote to memory of 4768	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	284
PID 5064 wrote to memory of 4768	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	284
PID 4768 wrote to memory of 3956	4768	reg.exe	107
PID 4768 wrote to memory of 3956	4768	reg.exe	107
PID 4768 wrote to memory of 3956	4768	reg.exe	107
PID 5064 wrote to memory of 3608	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	419
PID 5064 wrote to memory of 3608	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	419
PID 5064 wrote to memory of 3608	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	419
PID 5064 wrote to memory of 4612	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	114
PID 5064 wrote to memory of 4612	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	114
PID 5064 wrote to memory of 4612	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	114
PID 5064 wrote to memory of 4588	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	476
PID 5064 wrote to memory of 4588	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	476
PID 5064 wrote to memory of 4588	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	476
PID 5064 wrote to memory of 784	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	111
PID 5064 wrote to memory of 784	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	111
PID 5064 wrote to memory of 784	5064	910f21b7a3e10ae0c325da6b4c5aec10.exe	111
PID 784 wrote to memory of 2700	784	cmd.exe	116
PID 784 wrote to memory of 2700	784	cmd.exe	116
PID 784 wrote to memory of 2700	784	cmd.exe	116
PID 3956 wrote to memory of 1112	3956	Process not Found	118
PID 3956 wrote to memory of 1112	3956	Process not Found	118
PID 3956 wrote to memory of 1112	3956	Process not Found	118
PID 1112 wrote to memory of 1396	1112	cmd.exe	470
PID 1112 wrote to memory of 1396	1112	cmd.exe	470
PID 1112 wrote to memory of 1396	1112	cmd.exe	470
PID 3956 wrote to memory of 456	3956	Process not Found	130
PID 3956 wrote to memory of 456	3956	Process not Found	130
PID 3956 wrote to memory of 456	3956	Process not Found	130
PID 3956 wrote to memory of 2888	3956	Process not Found	129
PID 3956 wrote to memory of 2888	3956	Process not Found	129
PID 3956 wrote to memory of 2888	3956	Process not Found	129
PID 3956 wrote to memory of 564	3956	Process not Found	491
PID 3956 wrote to memory of 564	3956	Process not Found	491
PID 3956 wrote to memory of 564	3956	Process not Found	491
PID 3956 wrote to memory of 2948	3956	Process not Found	127

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	910f21b7a3e10ae0c325da6b4c5aec10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	910f21b7a3e10ae0c325da6b4c5aec10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	910f21b7a3e10ae0c325da6b4c5aec10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	910f21b7a3e10ae0c325da6b4c5aec10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
"C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\TwUcgQcU\JSwAIcEY.exe
  "C:\Users\Admin\TwUcgQcU\JSwAIcEY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
    C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
    3⤵
    PID:5064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
      4⤵
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        5⤵
        
        PID:3956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        7⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        8⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        10⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        12⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        13⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        14⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        16⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        17⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        18⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        19⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        20⤵
        Checks whether UAC is enabled
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSsAkcMI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        20⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMkkkYws.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        18⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        19⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwsQgMEg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        20⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        20⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tewgIwQo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        16⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGAAMwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        14⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIUcMwwE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        12⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        14⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuwIAoEo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        14⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIEwUIYg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        10⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOMAYAAI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGcsIQMI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        6⤵
        
        PID:2948
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:564
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2888
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiQIkwwc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:784
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3608
- C:\ProgramData\lIIAEQAQ\WUIgMMQk.exe
  "C:\ProgramData\lIIAEQAQ\WUIgMMQk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIkwcgow.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4892
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
    C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
      4⤵
      PID:1208
    - - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        5⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIMckgQk.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1612
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
    C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
      4⤵
      PID:116
    - - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        6⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        7⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        8⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        9⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgwMEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        10⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgcUggoQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        8⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        9⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqgwwQcg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        9⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiMgAMUw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        6⤵
        
        PID:4864
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4328
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCwgAQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUkAoYgI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4744
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4360
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggYUIIAI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:4360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3436
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1080

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
    C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
    3⤵
    PID:3264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqYEssYs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
      4⤵
      PID:4376
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:4456
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2276
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiUkwUkM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:3688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
1⤵
PID:3292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWwYQkUc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
1⤵
PID:1928
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:3752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boEUwooM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:956
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:368

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:1924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
    C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        5⤵
        
        PID:436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        10⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        11⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        12⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        13⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        14⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        15⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        16⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        18⤵
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        UAC bypass
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        19⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        20⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        22⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        23⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        24⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        25⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        26⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        27⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        28⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        29⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        30⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        31⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        32⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        33⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        34⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        35⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        36⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        37⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        38⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        39⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        40⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        41⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        43⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        44⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        45⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        46⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        47⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        48⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        49⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        50⤵
        
        PID:756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        51⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        52⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        53⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        54⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        55⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        56⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        57⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        58⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        59⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        60⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        61⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        62⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        63⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        64⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        65⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        66⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        67⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        68⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        69⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        70⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        71⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        72⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        73⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        74⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        75⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        76⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        77⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        78⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        79⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        80⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        81⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        82⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        83⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        84⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        85⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        86⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        87⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        88⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        89⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        90⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqEEoAMc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        90⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOMEssIs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        88⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqwgAwMw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        86⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        87⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        88⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        89⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        90⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        91⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        92⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        93⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        94⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        95⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        96⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        97⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        98⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        99⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        100⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        101⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        102⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        103⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        104⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        105⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        106⤵
        
        PID:3196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        107⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        108⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        109⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        110⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        111⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        112⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        113⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        114⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        115⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        116⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TssIsEgg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        116⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwIQAYMI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        114⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        116⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        117⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        118⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        119⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        120⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCQAkwks.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        121⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsAMUMcc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        119⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIkgkMoM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        117⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWEwkYgs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        112⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:1204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xckcQQYs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        110⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGMEIcYY.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        108⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQcAEwYY.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        106⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asIcoQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        104⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQkIQcIw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        102⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        101⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        102⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        103⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        104⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        105⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        106⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        107⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        108⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmcEAogs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        108⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rqoccwwg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        106⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMcIkYAM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        104⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuYAMgoM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        102⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaUQUMgM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        100⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCAoMMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        98⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyYsAEQM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        96⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMoooAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        94⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        95⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        96⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQAYkEAM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        96⤵
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        UAC bypass
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImMsgwss.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        92⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        91⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        92⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        93⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        94⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        95⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        96⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        97⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukEgAMgc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        98⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        98⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUMIQIQw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        96⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWocQwcM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        94⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWAYwgAE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        92⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEsAsYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        90⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCMEgMws.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nysoscoE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        84⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQMsUUsU.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        82⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAQQIQwk.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        80⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmkQMcAk.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        78⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        78⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        79⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        80⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        81⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        82⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        83⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        84⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        85⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        86⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        87⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        88⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        89⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        90⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        91⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        92⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        93⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        94⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        95⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        96⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        97⤵
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        98⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        99⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        100⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        101⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        102⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        103⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        104⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        105⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        106⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        107⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        108⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        109⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        110⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        111⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        112⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        113⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        114⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        115⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        116⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        117⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMQMMUY.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        117⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqUIwYYA.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        115⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIAMwMMI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        113⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwQskYkk.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        111⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IugsYUws.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        109⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saYEsEQw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        107⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        Modifies registry key
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYQQYAAI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        105⤵
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        
        PID:1920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        UAC bypass
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwEggUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        103⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        102⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        103⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        104⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        105⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        106⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        107⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuAkcMgg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        107⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaQwAoYE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        105⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcQIEoAU.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        103⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        UAC bypass
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMAAgMck.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        101⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmksoscw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        99⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kukEsUkY.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        97⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        
        PID:2424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGgcAscc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        95⤵
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAMIYoYU.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        93⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        UAC bypass
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwUIYUQM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        91⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        
        PID:4100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEoUUUYo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        89⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuEEgUQs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        87⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        89⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        90⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XksUYAUg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        90⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUYssAg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        85⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        
        PID:320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        UAC bypass
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        Modifies registry key
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyUwgIso.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        83⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYUIcEQA.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        81⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uugIkMMg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWogwsAs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        76⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECwoYIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        74⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkwAgUAE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        72⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsUgUUoo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        70⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGEQEAIM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        68⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAUowwEo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        66⤵
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYsIksIo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        64⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKgUMoow.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        62⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmoUosIw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        60⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyAgsgMA.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        58⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lawgUwsg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        56⤵
        
        PID:4880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agAEcwoE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        54⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        UAC bypass
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMYcYoYw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        52⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEQwYosk.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        50⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICAwMgsA.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        48⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeQYokQA.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        46⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUIcYcEM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        44⤵
        
        PID:2700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zugkMIAU.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        42⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYAcEUIo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        40⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKgkEkQY.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        38⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYQsEYAc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        36⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        UAC bypass
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwMoUgws.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        34⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiEQUQEE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        32⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        UAC bypass
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqoYIUkw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        30⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKIkQYso.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        28⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RacQcEYY.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        26⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCowIcMs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        24⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGskEgQY.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        22⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIYAEssI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        20⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcUEIcsE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        18⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeEQIsEs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        16⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEQkUMoE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        14⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYYUccYc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        12⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYokgoMo.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        10⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOIAEIYA.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUoEoAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        6⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3324
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4136
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqQwcgsw.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
      4⤵
      PID:1600
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saMkMogc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2424
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3692

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4294d2108c1ac920c8646f644bd3112f npPnLjIaPEuJJEijCh1tSg.0.1.0.0.0
1⤵
PID:4784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4472

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- UAC bypass
PID:4236

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:928

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- UAC bypass
PID:1612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5016

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
    C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
    3⤵
    PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
      4⤵
      PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        5⤵
        
        PID:4936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        6⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        7⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        8⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        9⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViUEIwgk.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        10⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        11⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        12⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        13⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        14⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        15⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
        16⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
        
        C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
        17⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMoQsEAc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        16⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OogcgUQg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        14⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYYUMUUs.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        12⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEkcgEkM.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQUUMgwI.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
        6⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3092
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4124
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKYgYsUg.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
      4⤵
      PID:3816
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1524
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1756
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1140
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3264
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIEEsIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bikkQcsc.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:3596
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:948
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:3856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jawYoYsE.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4112
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10"
  2⤵
  PID:876

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeoIcYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe""
  2⤵
  PID:624
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2956
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10.exe
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
654KB

MD5
24fd6c71ec9303b39d8879f182eb016f

SHA1
3efa3d95db7981d9ffe8e61133b04c10575ff09f

SHA256
69214d36277d4520af6d8532916ad6a6fdd45b5aea128eb5a85dea47fa2e09b9

SHA512
a13ac27b59fd08359134d04e0d0de38a2430e3b6234a070eb02913c8a99f4b1fe6ce2075b41e7f12496b0a2fc90efede6690d8fb8b99a19cd7d44fa1f0f1cdf2

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
307KB

MD5
9ec02a41df3d27ac1f0fef6aceba41bf

SHA1
4e5174bb9da2d6c9a567b5bfb80966d3aa30006c

SHA256
ebbf3ed3c3a9f90ad46efb84774b22e185a5b5573cb961530f950bca9b626145

SHA512
ebe02adf5e6d7f71c82546865edc8663d3db652b6948016e869b9363885bfa7cf87a40b36291ccfb91346cb9fbe23bff258ba996cc621b7ce8d04cfdddbd1182

Download Submit
C:\ProgramData\lIIAEQAQ\WUIgMMQk.exe

Filesize
189KB

MD5
3a7c8f58c5b705307788344d795a3eec

SHA1
91ddd2b510bd6fa4b96563522f7162afe56b485a

SHA256
4d5719dcdad04abdc9c94fd42ef66a6ccbf1ab7e3e338d4395b46a73cc7b81d6

SHA512
9ea677c26ad0d82e54a07df77d23f8d0de8ffe4b0da626b0cb48aaaf3e48d558d4d672017ec9a3834fc534eb6c9ec7f59182b9300e4d5be35d7e6506ebbd963a

Download Submit
C:\ProgramData\lIIAEQAQ\WUIgMMQk.inf

Filesize
4B

MD5
11223b3377c950492223d569b63ffcf0

SHA1
fb5a15313c500d299bb01fa9cc769e04d1d853d7

SHA256
ef6b7dc1c457897c6239f04bb1f699877262b59f4334bf68de2e3985faaed7d5

SHA512
8508417e5d289e8d653a6a1fdc8a2e556e72f6fa5caec1e164551323a6ec18ce6f2cf410bf195c31f1d779df208a1290e78cec6e2e021e871748eaf8df0914e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
189KB

MD5
6548eaa186f9da2b0800c7678fca035f

SHA1
78af9f28861196ac137bd9b19899305ca2ff3f1c

SHA256
88ffb578ae04849c09ad5b423c8341b349ae4e4eca5957aa7a899a4017fceef7

SHA512
6a73af63b37db9883a74410ef9f79f6905a007e2b8f548dace2eab198e5a2edbd2e3355fbb974308267aacad32b27f2311c66a26a9bbc3c7dc0a5a6c7b2d5e6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
198KB

MD5
76d6fcc9a5a09de6cb38204c85b34422

SHA1
ffbb8e1bfdbf0a23d51aeb00d2f343a90228dcfd

SHA256
6c21eb3820cf8c93b5b21d71137adfa52ae78241e5110813a208a19d337b1c9f

SHA512
9e4cefbd24688bcababca454125176bf463845a705a1e8616d9771ba674bce09592370dd87a2419e926258dc9df3f68d00adbbea67d2722b38e784f79db3e9e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
209KB

MD5
e7bea2e7e9ea63f83957e40d93c125f9

SHA1
cfffd8a22181e642740afa9f60a9d5a4f69ee60d

SHA256
b32fabcbbbb9e34c3d4510a8f89f9a6d61e3eda64864540f4e7712125546ad4a

SHA512
dff275661361471cd738f9451699cb0846cd979ce4fdca4bdc86d3e9b94ee64e9a9edc651068208922b807e32b8be08f6713ffffec505792cf9c772d0f292e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
195KB

MD5
ca5606b6c6f4d9dfdd0c8f49c7422b54

SHA1
179a1ad8defad73db463cf49eb127e1077e4ff8d

SHA256
9de735e9b1748539e3923650f4d30ce191681b04dca6f908f4b8301acad8d257

SHA512
6d4c045737c2efcd94a77e73dc1b084fe2ee4c4c378a2e3ebc59576ddc04a4b84aee9f4770e0f01f20286f0caf4f40907e646d7cc6148ed8c101707e36ebe5fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
190KB

MD5
975e2f6370724e40e89d4d977b7b81e2

SHA1
da9144d3a9b6bd2e839176f185d4524af0ece36d

SHA256
26ae79e07fd692bb86e24518b90030d0144687c1f89dd3dbd58b61419ef65925

SHA512
614c0f374b4925e81c28cd74b19eccdc1f015a4152312ff8cbc291f2bbe3956e8cf598424aa1c22283b84a746038a28c33f277b91a7cbedbad1220e90d897391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
57KB

MD5
4865d01634dfd2e2900c860b3ef2bbf5

SHA1
86fa9ed20446fef96e07286042922ccc790135ef

SHA256
eb85d4ccc85fa046c4aff593e0b87143e5bcd989a1bcd619b93278653dea9ded

SHA512
71d8c77f537533173f17e4385ec16ad8d0fb3c4428f7e42d046052511a87039ca6faf04e8bc4d9bef6d3912f8fe723736017f3eaab57165f3be6a232127b51b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
213KB

MD5
405c31c06258db78a5a323c72296c0de

SHA1
d05a795ee50c2869dca9e26300787fed30466e21

SHA256
214b183b3cd99d8e59e7557969c47c5ebb5a08b2a152485e080daaa205da15cf

SHA512
6a8578ab628e3b82a7724860c0f48925f3508e4fd3f17107d3d12d3f26afb6f33daea062de8810674003a3c3775950dcf49056e8bdca58223c734d8634c1d3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
193KB

MD5
ed2ba0c7dd8717e021d13c7f09d47e4e

SHA1
9b5d307bb7b357ebaa4b307e7133ddd6f5575010

SHA256
b20d45dab398e25646837e3f2527a1471e7d428c1fe448cd0cdbabd3b1cc5417

SHA512
aedea46c6dd2f5951073611a36942fce80fc15f2a35d7848d603c43eada28236ce4f3299f3ec15ccc4b8343f6f133b55a6b6f29a07f7d8414f0ff8f2b9a00d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
208KB

MD5
1cd825ea65369bab84753fd862593f55

SHA1
8d9c253982198fa7fd161d7ff4dcf955e2d297c0

SHA256
2e544447754299d4fac665ef066c0be8cae45eab5826d6804f13663e685196d6

SHA512
f16a8d1e8a6375ca5b5007714bb83f530c5b2d413881e6807dd5556f86ed625cc6b4d60fdb638dc596dc30e4c08e41a8e54812ac0e8b269c8c13ed12c461186d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
215KB

MD5
ec041e23e1eee615d97b154f5ce7418e

SHA1
847db4c45163e6399bce02e6f88a6c7e4c9c964a

SHA256
1fd06bc2eb5be748f5dfcb0a869dc8a12ff7bcf9b0d9b75635e67dcbbd150641

SHA512
e83dd6a0ffdabfe975f6fe5bd901596c59c1e7a76e075448bd8d567d1f097b7faea8dbaf1ce969f88775740cae736179ac4d09e0276f8992948bfa02c1f314d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
187KB

MD5
d96845cecda4b0b9f4c45a4f1fd5ca05

SHA1
35c56b46e221366487845b427da126f4fc40b551

SHA256
ef499d2cee6e67a207deae16b624c9f22576c5afc5fd6e84a4c0c40c5b93c757

SHA512
829cbceb1429ea6f9b8b56ac1b506bb677351310a495c0f9433ec83aad669a34141fd82d13ff365380bba17b0cdd98b62cf93ca23ff1d4b2563ca835832078e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
187KB

MD5
28221fe045e9869ccdeb83f3caa391b8

SHA1
82cbc92762ba3716178536f978e6e38bf040f713

SHA256
e543c50c83a91c621af9e9e5a76e94e61dd0e9303e7ea659ca559a0315a891e7

SHA512
491b16fe9d6e008588e102b0280ed36a31fe9e5ee80d1f2a61374989c59d36f2d628f318ee138a2e83277611ff2bc9fe95145b3e42111ab149dd8ead3c5775b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
186KB

MD5
bf82e00201f37149f6732c30a84d10ee

SHA1
2307d4e00a5f379f6d9e4b54c19f3934cffea156

SHA256
8b394ca92c2d9d2e413e6ed2880ee3af7946ac18eb57b4aee90429ebe9fb62e1

SHA512
2f2642647f111b399f548cd086efd2c9c88566184325d55aa43c286d4480c53e2b7612280c44cd232ebd3f79b63a73ecdc56f3d7dc27b73118c3741e0fceede7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
188KB

MD5
0ed0c7729900629f368baa607784480b

SHA1
147f067cf0f56f8111aac9a304fa06b960fcff6e

SHA256
393b05814dc21a4da9acdedb3bec67d7589f1325c09720f1cc200ed7a5d448be

SHA512
c35c8e6be18cd0ab5e4efda1462cb2b4a194515535ce6c3cbc925e3d0a5e0f1ef3d461eca039a0cd0f68b0988e17bc536552f74aad131aa8dc08d9c6b1b775f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
204KB

MD5
770268b00decc3ddb31c8848c03b1f9d

SHA1
9d5b41001809263ce86143eba7701a033813f7d8

SHA256
bad1b39dad4f9698ed9bff6f9690f7f6319ed6b8e79ca955eebcd8ef995e06bd

SHA512
b3788a3a77c8ce9fdb11d5bef273fb1b00509f0e00465af887813fc0ec76ff7d59c7897c6c59775206195d2405ef6e05cb3f32401a5a27e27cfde6d26e978632

Download Submit
C:\Users\Admin\AppData\Local\Temp\910f21b7a3e10ae0c325da6b4c5aec10

Filesize
6KB

MD5
1faaca27db89108e4db71601f485ec34

SHA1
0ba4ef92a3a4aa61bcc8be95e8353c7cca84855c

SHA256
938302353d9e5e040c36fb429ab96cd61b4e0948d1c6c027767f8ae00dc62171

SHA512
bd05d1a2d40a74d8049049b59c9bb6b6f99b3af0d115d5a14b8c83f8af3567b4e416517027001876821677d6464a6b3f343fd9adbf28bd196b6da97a56a9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIIc.exe

Filesize
791KB

MD5
12d018c27d21f7ee799aecdced1b93f4

SHA1
a0227fd994c2440e57c421928b8ffcc8dfdfac67

SHA256
e85609d27b95c97b8c7dcc6b57b7b1aad210ea869c8720f79c349223161a5813

SHA512
eb78eb1717880118ab2a9081d8c64a13d3292c75c80d47ebfeccf4e7737cce7161a3cbb44cc056ce7776bcf92267387032fe23f0f2f5dcfbb446b15046df1bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQe.exe

Filesize
189KB

MD5
395193f4d918756fda9f2dff2bdb393a

SHA1
b5625016a7d6e3751c5a19e73e31d24c3e8d7f6e

SHA256
3027ee94ad8d8bf178415a1004513648f1b503456c4526e4f5dd851c7544a687

SHA512
5dfa56a155e34feb5452742fc16f06c20d2748deb7fcd449f08cebcbf34e9772a8d53a6012efbc74d598f5c200b291adee529e8bdc4a287beda2afad8bbadc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEUu.exe

Filesize
207KB

MD5
901d0dbafd5bd8b8f2dd090a4ab5b1ae

SHA1
62a7dee8fcfd2016ee04ec68ae95a0a1e16cd73c

SHA256
2b1e4b96c8532bbcf2330903c1ef296e133d01f06942c62f319645100be95efa

SHA512
21670a432a975d40e0a79f43d83209b347b8c7787df8ca4213e47dd8be98a88d9ab1616639a9daaf0211591296c96d80f4da17a4be39cf3d32e0843d3097f419

Download Submit
C:\Users\Admin\AppData\Local\Temp\CosM.exe

Filesize
186KB

MD5
ee57db88ae0bb6af7e6448b936081297

SHA1
9be4abde12212a753ae98cab30c98bf26ba34c1a

SHA256
68339758aa58c1557c52a83dd33f215a68907e55a513b9d7e86692cf6ee2acfd

SHA512
9853a29247a7bc3783bcaf03f39480e7f4e78943b6a19cb362bd856e7386eb661e135f6bd072dfcccee79c1d21f7750cb13f2400c908c6a1f8ea7b32b774cbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsQQ.exe

Filesize
129KB

MD5
bcc35405dbcf8c3fe55a6bf45336c84b

SHA1
f82cccb9d32b385484f4d39421359467a8f2d5c2

SHA256
c376cd81d723a1377f3074f29c2b787e852750e1ffd1133b4116dbb1d970d4e9

SHA512
969980225f665d6552ad9f10254c80650e0de9a83e20e174851c858a99992fa062d76b9d342b04bcf7dd7cf74e3d48d04cfe3a7af917f02d0f03242af2d2218f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwcE.exe

Filesize
204KB

MD5
eace1910c7ea3a15fccd9e664dfa313a

SHA1
d91cc9fb8e494bd3f4b57ee29870b40286fa62a9

SHA256
a9da5de2decc8351d9fd935ea05aafea25c2fe33666430d881c8f62dd2168770

SHA512
27fdfa2cca762fe41be79b55fc71f8f0554519dabee191306725b5a884a58a4797fd99294e7178b10329bef1dd6058f5868fd4bda6a7eacd27993e437e9e098e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYE.exe

Filesize
99KB

MD5
020feaaddf744ec7efd2f460a412d9d6

SHA1
ff2627d4cc6a35a39c3f148bdadd7c42de4c44c6

SHA256
358ed71c5734c0b92c3e2cedbe0ae905e921a127ec604cd2070c051f61db4861

SHA512
2b731e684eace9c7060f577d26e8dd7d71c7d31a75b2d928f5687015bc8af5e1b9ec6b590dfedeab1a38d8712aebdf05bb629065ae07186c06abc370cb6dc7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAcI.exe

Filesize
197KB

MD5
804de82feeaa917a21e7118da91afd41

SHA1
dfa7d935a113e446280f8a1ae66bc3d1701e5389

SHA256
be5e1c81e6893fecb0cbe8da6cce9b3a92c21d47a65ccac5a633915e1311c8f5

SHA512
5bb4f3f3788250372e78c91429bc648c2725c718b0293aacb765d5037963de33c102bbda1d8e1aea7cf06423fc44427d421ec5af2ac2574c3f9a3fb2bb1ae725

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYUS.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAs.exe

Filesize
190KB

MD5
884ce9a3c78f81a770446537aa4b732e

SHA1
994d401b78c2657c9a96dbddd9f0bc4d7403fdd7

SHA256
1d5bfc35e48d716f62d3d27ade3b1fe802ab4860d8c4c9680adef97ad041950c

SHA512
7d445d2d8665445e5940908995a0b5ae9ef955853741c6bdfd49c220bd6f0a90c6d7e9c748746275f80c8e9848ffa9fc442c0ff7a3ea1d52dd97b9ec03995e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMg.exe

Filesize
160KB

MD5
a73fe9bfa55a2219c4fe9c3706088838

SHA1
dddee2e64146a335e48248ec5a3f77e10dde2e35

SHA256
fd51f0f4b36733f624cbb53afc877a36ec2e680ea85557748eadf441cb2e3704

SHA512
76420e5a97aa4aee62dcf488d63723cb987129009a7b1ee2ef9180e60454003ca0f43aa8bce1945b38214ef0b346df1c161802648996894c47c9c11ea1bb0a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgQm.exe

Filesize
204KB

MD5
3f56082fedde5d7546951bbdd902ac5e

SHA1
521e4e2d49c68befa6db5b93b197107d17bf00d2

SHA256
48cad3555f975b00a5b461ff5c8e956690b17b0923c1da704db213a167fce0c5

SHA512
87a3eacf3a2c653260490208bcd0cb56fa670e879c8fd8ce39e69a2e7b8287db28181d402cbf3142707c8f194770c93df35529e1d526ec290b2726adf0fac202

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUq.exe

Filesize
195KB

MD5
827c301a8302c5cddfae98ba3b629f7e

SHA1
78c157969086783f831439b7f76349045e8e14ff

SHA256
e14f8b050c9700cff31743f493aa9be2ef8961afc6518eeb290b28b7a4aafd3d

SHA512
8e7e0c5475dbb829f0edeafd53054bfc28512b7f9cee233ca3e1592d7bab6a8056c75719d14fc09996ab1b63819eaec088d36f2a9d4744b93e2f7b9a36cc2153

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQAm.exe

Filesize
466KB

MD5
0d1cd19bf00c5f8aba9da9e3273e04fa

SHA1
43f68ff53dc529b1a336ec413814446ac4ed4b7d

SHA256
99b5182734a2a9fa596725eeb64bf2c4e540ce9b6431451324575a91900ab361

SHA512
191a5c41ef417bb0e74300cf3865804bd033758c49b272e7301259361b28d441f28d7c652f3410fc88c60ae38db8da238afcb144cac3629c7ff3eeb14bba774c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYUU.exe

Filesize
213KB

MD5
2ed827170df2012775bb8c75b1384133

SHA1
ae1ce31b5adbd2557af587643311a040be57744e

SHA256
45fe4b21b0f5635ca3bc8369952bc82857d3dbebeeb9b0df66e20a6de854c9ec

SHA512
2fc1272261a308c79fb775cf3face00a5c7abe4edd7c8d1e225822777a8362d1ebf8229ef347daf36797a657ca5f832985bd176847e676228ea92ef8f1eedd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcAM.exe

Filesize
814KB

MD5
da10222a4221e100659a1be92aac9cf1

SHA1
474a66ae54f1b0c2b563f8c275f887dd5844aa4c

SHA256
44b55ccd469f2471b58f11f910fd43e289681a76faa31d3bee5dc618b7f3a630

SHA512
fbecdba087c635cbc31d510ff58ea811388f4c04f56ce83bf46cf58135f83f7c5a0ec9620aa2fbdabae2bce004b01ffdcf6f14db7259807bcd0dbd725eb07a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgAS.exe

Filesize
977KB

MD5
a55c88b43a9687fdab3709112f733f78

SHA1
3b8aabb3c8d510ae8fd2de5c59d49341b286c709

SHA256
ffc7a0362250ece217fa71755a40905dedf727917e262605e5fd6cdde14ab740

SHA512
dc72437b77f3d4c0d9890e988911e9360d5cc1803a74f8bd7cc7976d1df52183450214dce7b5ba3fd8ad5251f828558923c3cbb1d0fb56599b7a5082a85115a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgIe.exe

Filesize
422KB

MD5
03c3ae976f7f83ff0b95fcff86c85c3a

SHA1
2ec94b1ddb19b0eb6f9daf7e4de1bb27747fea39

SHA256
8b21bddae5fc405f2c8929a1788135572d4bfee7b67ae87f3d6fd8df4ac2ea37

SHA512
50ccc2d68bdc6cf4957ccde2c9f208e565f6b97dc250467639007f2f6495a5c6c70398849edfaacd12528587c4ce48931a9b69866873b8b4f94cc4d0e7abb2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQa.exe

Filesize
224KB

MD5
afc9c3253dda7a6c6d7bc6cef0950397

SHA1
b1e37633b8d29e4dc9b9ee69e24a0a4c07acc088

SHA256
4dd14c706d755b4e802215c5a9f55c2728f15c61575348c0faef991481dbd4af

SHA512
14604801fbacb38645f3b843efd07c6fecb053bcaac291aa6a80df27f8570813082735352b30c27f493d7aa117f68ca0fd901cf5598f6e68addd88b72dd1167c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUka.exe

Filesize
205KB

MD5
d116451c6b655b233e1c2e1a5173e6f3

SHA1
fc70afdd2f045fe4e7909495e01c5ae7a73d1169

SHA256
61cb9e43f2f7ef4cd3972954bd31de8e37fa6d6a03e4661fcbb01315daba7135

SHA512
2c4bd40b5ca798fec0a89679e434c18ec929d0808ffdd5b46e0fde6326e3978392b69286c009cf5952099a7bf844f7650d9cb955e93db2dc21c3fbe0c16bdd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUoO.exe

Filesize
293KB

MD5
60e9bc1baf731c7bbb9e71a917f22836

SHA1
ac9d2231e0bec7fa78a8ac360d07b81db650cbc3

SHA256
3586632844e9046102d21a466e4b2a6e140130915b87fb030f104d3021ac3606

SHA512
fe61d7fdde94d8ccde952f9babc18b87c67f3c81784c97f4e4805b16d91717102234b115afbbb1425a780bed026525fcda674293998a45708014bf9e7866ec5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MokK.exe

Filesize
186KB

MD5
8ec4ae816c3726c5216e92ac76c70d3f

SHA1
c1695d5e75b28ff4ad2d6cc90bbf700f2124e4a6

SHA256
51dea9cadf3f89e0e8e1760a56c0a87f4eec294208ce5152ad2cdbc1b7fa7911

SHA512
1ff5a3bcff7cb09ffcf1a8850348a8b7df12ba63ee759ea71a1f7151d48cae7e5bcfa311ca835e41f96ce106da85a732c2b6c228eb7a0225493b6a095d5a468e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMw.exe

Filesize
747KB

MD5
c34634920958c0fa3ee8ab30875f1f20

SHA1
f036a0d191f2a38d0cdf8eb1ecf52e682c1af48e

SHA256
178df842451e60ea232ed1bd7e69b8322af84e8505b8d721ec52885cdd1b4361

SHA512
bad46ff91a3723fb97ed2835704272391b7bee8da5a5dc18495e171ff6289bd0b9f7c9697aefa85427a5bcb86a7020b208d01a69a77558b463656c3cc208afc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQQa.exe

Filesize
787KB

MD5
3564b0cea43f3cee8abc4ae0d45c1213

SHA1
b665e228e5693c846a375597e11c4c8babd43fbd

SHA256
104f2a7053f8be19eedce703128974ab65ad7426e7beb7d4cb85bad0ce39d946

SHA512
34ef7b67fa7e8d7db22a29d0714fb9cbe0c8164cd0aa0f123264c1ec104ab134b6bf288850f320e3a9010c383da44dbf1e8050d412291da9669e30f27363405b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYUo.exe

Filesize
317KB

MD5
3059a0be643243fa73a5aba9745429e3

SHA1
1d3e60b765b85fc93248c43da2769b53a8353b55

SHA256
2d62711b0da16d82931b83b212bc46549a54a7a91748671b140304cc87a10efd

SHA512
aa6efc5d3d74fac644d83d88d7e5773b1e837274e0ab418296bccc415f9e88e6af6300ea6c5e7f75cd4ffd7462732ba2a19d8b45e7a8a21c2dcda4ebd1b60dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qckq.exe

Filesize
2.1MB

MD5
fec9b6f78e1a20f0c9bd3293a6a694dd

SHA1
d0df105c8cfbeced16c80a7bf893440d49461299

SHA256
065712e21918886a13b1ef02b4be5c9477f01b5060b15b4774defe082bb2c616

SHA512
28aae8e0298b332b108fdf8beb909290de3dbf32650a154cc1de4b84a02becac207ad3a3a75decfe71dc4365a9142ff58c63c6e917ba39a79cebec3b110a4a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgsO.exe

Filesize
194KB

MD5
cbe762f6acfdb280840ae41c6b315db4

SHA1
006a4607352b991cf8422a36cb33ba59dddac894

SHA256
69f734577ccf3336f7a20d58cf720996f16f382d2c74f0eb31cf70c9ef5bbe2f

SHA512
27f606581c21f29db143596c9671e87307e57df159c1007b045193d7857b7c36309a6a203fdd82aa7efcc83d80f44572b4fd8c93955c61c3eefd404fa30b387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYEM.exe

Filesize
185KB

MD5
39e5006ea75c8ec8f266fe8620e187ea

SHA1
467948bf7cec433cf95e420b55e21b0a7248193b

SHA256
83ca18ab6e25036cff6e0d363d403b74b38f8b1b89ad598a9b76504ed12d6e4c

SHA512
7c4ced7280d43dc144b32a018f75bb1a8fe298e7d5d418fbe53bd6b8a826d67430bf4faa348167be0bf67461d057fcb5a6a9b5e896af9161fe5f019a9576feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scso.exe

Filesize
204KB

MD5
c2fb48e5dda1b40d9b139787a0f2fef2

SHA1
f3e87804931ab8ea04399aa027b683438db587c9

SHA256
0e3926920d44138ab284f8811ec85ab9359931a12cc40c07f0be84a5f6b6c77f

SHA512
7cae01000ffb17dacf740bb23c522a2d380c32a967a34b82ca46484670d3953ac4f9b0a8555ad61a7d2e61dea12b83c9ca69df0a83b33df97eef701fad8b8b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgQo.exe

Filesize
236KB

MD5
4b872a71fd2e0cbed27b3cdcd9bf5068

SHA1
c2c3bb2e3240947fe6fd86d9eb8a2f500690fae1

SHA256
59e2d44a479ec29cdad01a68ef8cf023d1711c5fd142cdd9fa623b1e7d948d28

SHA512
860e86992ca7e9bca57d39cd23c06d16312147e54d28de403d147e897f54ac24e0710456980ce39de98b8f4a4a66dbb232ae77e0a369ea4ac416bf5c5e2ab6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwUw.exe

Filesize
210KB

MD5
67a630109ad0d6188b1d53ff3041b459

SHA1
5a3eb437e48dfec1495d92a41f7f9fc131b8465d

SHA256
ec1d1243dc5a08f6a60f30c38c94e2d79f3049e4817f2930a1a43baabbf4d7ed

SHA512
ac556497985239e262f9b2ef721ba9f19f2701b926ee711bdb8d63be713fd6d661689d17f5bd3710098292e249f5b79b7fdea306f9a365d651e91f51cb5b6d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIkwcgow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYwi.exe

Filesize
69KB

MD5
c540fb51e3c2b795af8d24e1dd638880

SHA1
ef3c8b5328bfce904a0e7a3d0d99a932526a9923

SHA256
b6250474f4caf3aef77aca680dacc888fc031efb8c96f13077c0b9c20c9ee21f

SHA512
44be58a568deb5ec9fb52b40e870dc3cedba59be74e16bdba5d879baa579621fe04560ec59444a560798f9940192344b46e462de3fd3883ee29958f8338ed7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcIo.exe

Filesize
199KB

MD5
5fa4e8f1ff2232f073dc47f5e3892762

SHA1
ea06fc6c0134b34ed55adb4fc5dd5dd80b85932a

SHA256
cc1f28ce39c5c6499514664e76bcc562684f577f21099fe53bf27d39b01cc741

SHA512
9bd1a2e6a485c1f579d6791315be5932aeff83be7e4b2d4a0cd31db58d177d2bcbd9017e5421191a0fdb4e95ca57c3ada282796b5edcb6ad8e0c71c41f3d604a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucgm.exe

Filesize
203KB

MD5
65f155f67f488b655bfbae13cf5cb2c3

SHA1
5c1ed261b9facd43bcc88e991ada9b0ac85a73f4

SHA256
c1006493afaf8a2493bd7e2bd644db5b02a43091cdcb3e4cc7696da57745f867

SHA512
f3aeb62ae4370124b4d421566fb39f7abf5e05b96e6b28d49b5a56e55aa00fb9f6d876b40dffaf57bcd33267660d1ef8326608ecdabbf009b62194b42b7263ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsQq.exe

Filesize
779KB

MD5
fb1cfb96473612561fb42ff079768305

SHA1
8bd9220056e8e70c9a3be64332aa461efea94bf4

SHA256
6a03c74a006c3bb8b731eb0091db8688df70a51933d4eaee8dca8ba166e6134f

SHA512
cdb4c93d275ba84648f90545279e8b9d34db49d4bc4ebf0d01f36abf70389c7360f1adc7c765dbcb7433875e5d6be33a46402a6f44c50aee31baa5bf373b6a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYg.exe

Filesize
584KB

MD5
a33518fe3bfc8b33298c5193a47026af

SHA1
5d3230de4c5eaddff8df9f4789a4587dd7cdac34

SHA256
be760ec0af9e25e239f51f2affc241b566fda58c692eb9ef939784bacc0dc969

SHA512
02d2cbbb3d74f1197ad166fc4aadccf50c8b56dade12f65be91b417cd68c7ca97f50d18445a85b9feb02822fc9def91806fca9aa86bfd7623a72f87c99769fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEQA.exe

Filesize
57KB

MD5
a5cecf7766188fc44d94106c7722fb54

SHA1
926abf2964c71f9fca26517f2b9e4ae5e3682782

SHA256
b75fbcec5ac426442ba5e9c338443a7430055066103ac9100d6db1d9d1b99fb3

SHA512
605263a4398043a192e3dcbb4ead9dca6656528e6f4f69efa6d976b5cdb4cb9d341526e3a15baad55587a8b4c44798ae67c0c373585aa6fb0c4b336449f83ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsI.exe

Filesize
148KB

MD5
8fb8105676c21553eedbd9d7b25c1446

SHA1
accbf6f86fb3cd622c5d3995940fb0d3da8544fa

SHA256
72c13292080d361b077c540021961b7081bcfb9539eccb2ca6f06660f3482eb2

SHA512
c5ee7076f7b94031716b3fdb1ce282516428d1441a71519acc76ae0a898c3b669835b566dcc533e4864401e7c01e653736e55d588e7499cd36bd9133899f6e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcQu.exe

Filesize
58KB

MD5
a25ca4eb75a63340b27f9611f73cba0c

SHA1
80b949397dc1948aa6cdbdc22ed515455a522939

SHA256
b11faf8fd301200a8349885b0110990b9a32f8cbc496066a6a39bf5fc0cf5248

SHA512
531e35e87df49a674a8d589ef5cbc81683b372eed14cdff3c1b13c8bf16e0487b19bb3fa3fe46dd64fe97351cef6add7580acea0b7de4cfcdcada34ab609b016

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcYu.exe

Filesize
210KB

MD5
1038d15b07e2dbbb41a6dbe14a6832e4

SHA1
8f68cd3aafe58e5887206792f40593dc3986bf53

SHA256
965aaf6d40905c5630e24147c5db3544eaf785a323a8ca7e3f6127eb87eafce2

SHA512
7b24ce7a41f7924a9a895767764d8fdfc671bee4f51b35dc223bb16cf2896f91f487af29ba6ce0a7f8095afbf339d100ff6dc3e4537e1335505c7a3ebbde4a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\WocW.exe

Filesize
188KB

MD5
dcecc1e4046d4df0603eafc9ed28bcd8

SHA1
80e8b0075bbd2d8080df1c3455cddaddfafd7901

SHA256
e256c2c1d1f3e2f29dd06a1f1c9f9853583bae726503603dc41d621a1d92c97a

SHA512
4b306cd9c23008ec1db77ad8ef6a642697951757947b6653b29414fc86f0a85973e185cf7e2f7ab3c8df612b97ef0f030774a1e64610bbce7c282c7900af6580

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEIU.exe

Filesize
194KB

MD5
567f6000bdca23d3f01d18f0ad1f4660

SHA1
ae5b6e6512ff57b00b4a61db9e9f7b2200b48d7a

SHA256
47e0c0955e4bda54b59a70cff8ab18e0dc2dac5655447d29b648e383cab1bb73

SHA512
ecaed47352bd52321fc00940c3a083ba04a0dc939a450922d8705640cc42408946e3832894ad48ab5c8e675468236a9720ec3d4e65b6c21cfd45bfe5c3f7cebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEi.exe

Filesize
656KB

MD5
d6680a64a26678030555744a83724127

SHA1
bbd3b0542079d0b5c49587770a4fe0e912f2f13f

SHA256
e84a3901200f28228de91ad8c380bc026f6b8ddf1855a3530670b0b9027f54a6

SHA512
519996532a4ad19bcfc4cb7c34bbb5e93a309f95fd5c5846ea17db3d238cdb9ad77a9c259f1a3f813696f31aebbf7d8f75e10cea718f60d195e108bbdcc8c1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMIM.exe

Filesize
182KB

MD5
f15981b61e6c080e1726f4a05d162d2f

SHA1
c3ed3477f9a4dd0bb83ecfc5ac12c0b2d88932b1

SHA256
15218a5e0bca482b865ca482e1d7c370d500ea872ad72d86c574ec9b8d451357

SHA512
2fc5b4c6ca9a90db88fed09cf3c2dd9a0f91b4d294a4e151f16d951038208e3f7a98a3d03fe5fa2eb9e525399e6abe0dbcde6c812e1919ee2f36c6c5574a2441

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQIk.exe

Filesize
202KB

MD5
384d4f82b81cf2474799b47cfc46c373

SHA1
ad03dc786b509207801274eb4289f4b24b3b9eb1

SHA256
9bda4c01491e17e0a1f1e8344c8702592ba4a2d9f2d6e423c3dc1fa53af76cdd

SHA512
331811b4e064f4045788e70987e7aa2095479f2dfaed66b4004514546f55b59191a504929f8243a35c86142f1daf6a5738b85f7985af597a1222e76621c84859

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcAi.exe

Filesize
230KB

MD5
bee103614b88369c5f53f9cf91f035f1

SHA1
f1edd53056b1d5c0435e47c0e91643bf03d3c1be

SHA256
53db8a74a9e0a8949a4bfaaf7598b1b135459d43e3e3621ee551110aee9ffd9d

SHA512
9ae3e5e882ab82f9ff7ea8934be1c4bcd4280621cf51851baffbee3f00ba4cdc3ecbb31b30ba1e5dd5466d378886b6b45e0100d0f872c8062a0e7daccef834e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykgo.exe

Filesize
202KB

MD5
067d9f24f26db305593e72bbf731764f

SHA1
fcd19389a8e5c6a284474fd3220865ab47a02a4c

SHA256
7b3650bbf8b89b0637c48bb61446f5838276d4d3f629f3ca1945d3935bf7719f

SHA512
9178ef59720bc3e57d7826f25f9d0e39f4543b76178bd149f26f8692026aa66d282cbd398ef7bf64fa864e59170954162207a1bd5f72d9601e1b4eda3822f37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAAs.exe

Filesize
189KB

MD5
631304718b4b1e5c492b5e44c653cf1d

SHA1
168b570494134faf258ea9cd6457ace1dd607a2a

SHA256
589d57921c2fe2904a35a7757988e50ba2a4e83257bb46ab5a3642b122ebaa3e

SHA512
2a7d31a93bb95c3b80547b316ec2e29f7cb601d101640e1a4dc3502308ae07487e9f845a55896d72e7566e47dbeed46b6e8ee1e0f794f2a648a2796b5191c89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEsK.exe

Filesize
223KB

MD5
2cbce29db2bd8c554aae02cfb6ca2c1a

SHA1
8af79344b41b86349ed3bd2798b2ed17b0d36200

SHA256
11534df7aa373c0e00e00bd539afe06eb351928a9ca0baf45af8349a25b1da82

SHA512
6b3c0ba63841ad90d9db6ca21464f4baa5428d46a122d3b7504c53706ba58588f0479580a0fc641274d34d34fff68cfd091a4a7aee8a061292af67fe0556ff62

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYcK.exe

Filesize
188KB

MD5
24a9ec41d5f8183408b62f316f4f6820

SHA1
7c17059a01a589b2665855c0d9f771864a2a24f7

SHA256
bb9addde19d20317b201a5b0c0cef5b67a121ae789e0ee6503aef7e351b5091f

SHA512
0f838cbc02d6a9522119c29c65f97bd3b2e302e42a60e2faedb2caffee6c502b9a1a3f9ebb912080524811fb8676d92d78edc33cfd0ba36c00a7575ef9a806f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMU.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIsw.exe

Filesize
279KB

MD5
e143d704f4166f147531579fc0d29b6b

SHA1
c9e496a31eedb56b0dd21520aec760cbd2dd761b

SHA256
ff038ac21309733e2541cae87fbee4e17ae8681a8365d51098f4c112e1eb3a14

SHA512
51fe5d8d4cbca11b636df4ea450223bed7ed665bfb38fe208122e9d04f45a7100cd0c1171a21e1a54a0b0dfea15574089029110d44a94daa8a99744582655dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIEq.exe

Filesize
196KB

MD5
89568797b60c9b5ad9847ee83cc72f73

SHA1
d3cc2c52a96c9624beb3cc68ac85c96d91575c8d

SHA256
4d288e7f720c9d1dba3670d66e6c528654e6a9ec213534580ce2f231e75e0dcd

SHA512
cd6a54e0db0e5809800cef6e8b089c0bd0cdaf12dcba47b076032df81f81c04f645b10a27f9db732437ca3820d614fe1213887b1280b5b05b339a84cb5a96b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsC.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQUe.exe

Filesize
832KB

MD5
91e217be48c41458fe843e13c1bee39d

SHA1
4878807f2fb47f6dbfcbc6be443079c97b044e66

SHA256
6c511cfb438b9db3ee7abc9e8699983b75a4b15ad7aa05c7b743b6ed2721a8ea

SHA512
6776c75b87475d5f01dbde7e3389800404c87e0f9d37b0a80211ea056564cf2e6d759af364e39cd1267db759dd19178cdfb848e6f89a7744a01babefc38d2ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eowe.exe

Filesize
230KB

MD5
e6a3e9baaf5fc770a8d3ece8b3995778

SHA1
6954f797aa9b7538e98fb4c5dcc675a605d7508c

SHA256
aa6445b7bc5b83177beaf818950ceca93f38628ae150cadff88fd9045429d73b

SHA512
6dd3736295e9d90b470b70f24512d15096f83d3223a40cf79481442fc630e5d38cd2f1042247f3cc98da1c29b49c77a6c1b81ab938eae943f425c935452f8aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewwk.exe

Filesize
96KB

MD5
61fbabe893d8136c896ea7d8524f91a5

SHA1
19cc04a1e67487f270e135acff15b946d6076787

SHA256
e77279748712506350d4b747ec76d39c262543ad5b574108884238c23cd2e061

SHA512
6878ad0386000e8d8a75415c7df14d220a1c7a95cf330c9a22ddae8a686d0c8d113392d5d230e27e6a606fea8ebaec20fcd13b8e0b747f71857c1abaf2e3696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAYY.exe

Filesize
260KB

MD5
67a6c80e1c16f61a1f10602ded42466b

SHA1
55402d3524e97850ec134ea2a419715403e763fd

SHA256
6fef51b3a8a72597d0cb9f7c1f5d78543d5035a4e5c9643a9f0fb2651c30ef1d

SHA512
88b5c7ff91b4c615fa9af029ad7fdcea844162c4ee8e48992cf5d0600c923a1fd2ffd9fb563fe5b2d88c71e7d83f538f32a63b8f6ac200e712f285dc41f8de1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIU.exe

Filesize
204KB

MD5
4108edc11f0dc8a62c4807282977a61e

SHA1
2a6391b54a35b852bfe13126895c18ac6a1972d4

SHA256
c22ecbd87d6da13930d642e8f7ff05b52c7ed38102cf432ee5ba5edc6e1d1132

SHA512
259613e95d8fc593b1e65f68e39a3dafceacd2cf1e29b1207f8c0a30f65a3992609a91b9ac578b3125080c5b491a23a2757d49a85200b68d094f34b25302a72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAI.exe

Filesize
347KB

MD5
fbc2f55f581c19c7f2828a10b02a4754

SHA1
884a7f76d402f914614edc6e4514cb58467d330d

SHA256
08909548d07c0e58f621db2269aa8a5b71b9d69e47cd55eb46969f3662e5ac70

SHA512
a040b2f56a1d66ba21ab72422b6b70bec9408ff8d915632cff70a3e73b37b4fc6b9d7e15b60764944dc937f8041186a250aa0d9316542821ec2f07c3f5ef259e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEsg.exe

Filesize
184KB

MD5
bc8f3e6219d5ae9f138d83821a184870

SHA1
25ea20c29b0095d50d64f9b379cd38f27bb09339

SHA256
cba4717d273b07e48d6a1502bb787bb51940147fb94c58d6b6cb51f9ca162f24

SHA512
6253292f37e5c55dd15060a168856a54ebe589ef2a5030310189657a650c5282b7e6c9045c3c6c0c9a7e649623b34a6ca265df905bac4135e9c2ee9142971b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcO.exe

Filesize
639KB

MD5
9b6fb6b62ae0368bd5099cab44b0477d

SHA1
9b1865300d6cfe123e4d8e8f8a33ecc457030ca0

SHA256
1e6de57516c4f4e6b11e87b1065647d60ddf06c9f186672959f605030a2b225e

SHA512
98f62ea1c36b148a67d362faa99ef343da7b4701ae3a61dc981ee5dc2c5a04f1ae4cde9788feadf71a7490ac92f9e200bc12a15633a1e8043a5e0e29197de7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioow.exe

Filesize
186KB

MD5
a25b47db5895af91783f1d399f8c7909

SHA1
231c830d922d4416118f8368a82afc3558eb6323

SHA256
93ade0eb7e127d87645458bbf6cdd532b94b8910f60e12f2835e6863e0ab8f41

SHA512
5c7261cd9835f7db2b75df3df194b704e426ca2c1083d21ce74e162ff855fc17ae987a60afd8c4582cbcf9eeb572bed224f2083b7040def8255220e7593fedaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgka.exe

Filesize
216KB

MD5
2aa0add8e26c48a249eb76eeacd2d26c

SHA1
125da1ba3783dce92db797a5f2e3cf0ea3e2367f

SHA256
af834a3a35237fb8a39df78ae930a78ee4207acc916919f9cb8fcacd741fc9c8

SHA512
e67ca9384ea1cedd5483dcfa0be355eabd71fcdb2c8f026a4516774d60889b4f57b546f89a5c4cd0ab2b1ecb315fc2661b0cac94658a33073f4ed426136313c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\koEW.exe

Filesize
436KB

MD5
6130b66c8c9727d930a686181a7eef50

SHA1
d835f48e3fa55d02bcded8d502e6ec1b58a3f4fe

SHA256
b6baf8a9b7a33310edfcbb0424021ee6e7eed18abc3a26db460712d02f4c847b

SHA512
3baa0343e0bd9edc8b1df49489c4bd283f3a2ca673fd383bb12efe6834944713dd51dc5e0b1f6c21f118c776fcadb305b50e9bdf04133a9370ba70c54ac54227

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIoY.exe

Filesize
167KB

MD5
92bf07b8098c6c5e9e11bd90531d6266

SHA1
80835931b0befa094942f1b24954c8792e0ec80d

SHA256
840cea0646b5b3ab6c303c39849270e2830b7b8b8963c8cf0c032c58bb1bc882

SHA512
e98c94810e57652f8d200c3d0d980868746ac1cc557b03f0dd5f3e6cec869077e4fb4d526e194ad41583f3261d9d9600b0d99fdf5b971c066e65d73a0a3a818f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQcc.exe

Filesize
191KB

MD5
c8ea8a9f55075467c80e4c5520099639

SHA1
3fc6026c15e04f4fa52713e0ea59d387060e5021

SHA256
81ed0dc09dc2c327e6b95a92b5d0a33c4d367802beb6e756e443373c75a70e9d

SHA512
99c8bf852ef25625dca9b78ecb167af0c2fd76e4bdc9cc059f4f9b5cb3d487c9a3df93327eee81a875b9347466a6acb3b27540b771ea0337afa2d83b21b891d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mckC.exe

Filesize
76KB

MD5
e2a82694dd3da250ec4baf083f152d86

SHA1
f60c44a85c6877579afa82b32d933d174a798b50

SHA256
f84dcc6218176e1875f33486d00fa06ef0b074b0ec94503ef9dbe8bd49689f82

SHA512
710ccf8c214d375736c3f733a672901afd48c87a4e89e1017a06f65e1110480c1a10ca860adf676616db4e6fa3a516c7ac0a04c41de3867afad0441d6ea43956

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggk.exe

Filesize
194KB

MD5
945283d477da95cb4f967c71f89789e7

SHA1
323eb4d70e69a80cb7b57134bd140b64a5c98981

SHA256
45272108b0b2372f71520779f73f2690987640b87a969334f1b1767b20b0271d

SHA512
20d87c55737da4e46a948519e0fadcb4f4c42455983319b1af7a4694da899d8df59a937da7098c4e44a326f4e31deb8f8103384dc9117772baa2f675d3899c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIYC.exe

Filesize
191KB

MD5
1b60f06ba2fdcdf1bde0ae1fe18a7c2d

SHA1
f658e09d12a741af1028c4092023854c8b155e4e

SHA256
06c6cf8c52b77f38ef2aed1e95c11171f950178ed1e89e6ebac9066e82924b94

SHA512
a0f074e05bdcbef8c1dea3a6b65e37963e43a5c8b1a68d8a96faf6168b4b46cc744b56f9c1f0dbc74c7c00a4f226b6f62ec98727c4d29152841665069ea2cfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQAK.exe

Filesize
638KB

MD5
3ed33c422fa5ea1522ed5c959675fe78

SHA1
529649e18099fc657f3a8db99d782800172e8003

SHA256
54658a4d6cb375dabe14babbfbbaaacb7abc6274c5433593269e25d5807dcd57

SHA512
8159e94a139f980f9e3dd70fadfc2cdee8413168aa89cfd9a9824beee790ed128102f50cd5c7976325b13733b9cbc52da209b53a780dea19954a5408e1b85e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUgk.exe

Filesize
499KB

MD5
c0742e25b71f811c8bf7341d9af7f33b

SHA1
a015ae68321e5aee1110b759d5f2ef3c0d7c46d3

SHA256
8312fa16e9f0fbb45d11bdd93fa36f894846857b61b60bf4744a64441b32b1de

SHA512
d0501827987af7ddf72d2fa5cbd89e0f3e8aca64b109a29921e9b917bedfa33662524d201764e29c5f01569c7e0bb58f8ecf9e016f2084e16f1f1b3f2c28ee91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogwO.exe

Filesize
198KB

MD5
299e0866ba27bcb69eeabb601e8c9770

SHA1
834a6668b73aa56d988cbacda760b8746fede67a

SHA256
59347f45cd8245fd4dcbdc689b22b58f7d9548eaaa606a58fc93f32c2c33a5d6

SHA512
73d46895d900edbf8f96f306ab10b9ae9cc8040604b2f7e068a3ae8b3563db9691525cf2eb4867f971853b945965a777545ce7700f11fec0933ccfa3d8db0334

Download Submit
C:\Users\Admin\AppData\Local\Temp\okgu.exe

Filesize
284KB

MD5
60e3850ae7c7edc44c92e3835268286a

SHA1
f807edc13e47337332818cff1da8c07ccf22d59f

SHA256
4dc508c264800d1721d58e57bb3d98cb7c32ddbaa4b894c2d32440d129a0e13b

SHA512
2901b5f56eddfbcfa550609371171184ed0eebfb3fde4ca925abc3cbdc77ffe4f37095e7122994d4dae65607e049e1eef079cfd480723ea17bc9814203abc909

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgc.exe

Filesize
85KB

MD5
3e6db3d3bd581fe0d23b62888c715b5b

SHA1
0e298c85dc89e636fba95f21507c2a8e5e91d3d2

SHA256
83ba05ee54253631125301287ea3c6b2f8222b37dbd95ea20f94ab4f3ee73cfa

SHA512
72e40c911e4c17cebaa4f475446d11db0a91e48abae0350ed7d7fcc99fa90d3205bd3db121f8f08ec702a8fb03e09966f0b16b7cf98089b9d516376ada465429

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYkS.exe

Filesize
868KB

MD5
5b831c86fbacdf3c705f54877f4836d7

SHA1
55c108680b32195a304e4c6616469b480d190c53

SHA256
43541f4826c99da4281e46d12f4fc2e3edc64ef716fc114a9a6b2fe5d3be3718

SHA512
ea09112e3e0ea5b36bad2c8cc6cfada903fccddbc9af387eaac8cfb1cf6a5949a7fc162a01a1fd53528c22a9ab168d1e5024fb1efef3b7aa709d732c339072df

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsoc.exe

Filesize
218KB

MD5
eb47fe0715ac4dfec8433fe28ece8120

SHA1
a9e4f382faa97609f8e5ed2e8c84aa4e694ddf69

SHA256
721011ccb0f0e2536dbfc9a684dcd0139936e8c284b296c9c36be632f0e9e19c

SHA512
9a57814b77b1bc725bfb91d93f746168c6c67eb3554ac1abaa64f128c5ef31c2006ee8770af66f3c7a366edae6346d987d93a44cbaf848ac0b823523560bae19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwgy.exe

Filesize
199KB

MD5
ba185dcbf0a4cef64a77686a038e2b85

SHA1
fd2db6ec07d3b40e61aaa08aacab4860045ffabe

SHA256
2ad7db2fd8ef9aebacde61f63fe560845769b9e0fb20453b50236a33ae14a19a

SHA512
8d81845b60559ff66b0af701e16d5975ceb4cad346f2903edd67fd5f1438aca11f427108b526959bead71559c48e18fe310988e9d649a12c83ca7318be8eb4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssMa.exe

Filesize
158KB

MD5
69ddd3df1bdbf0c7ad0c4341d1bf750f

SHA1
afc6963e914593ef2a47f6b40c4caba39c8b6430

SHA256
e8351074177138120a8c7166e0bec880f53d2907b9f0afe3bc56d0dbf050aa03

SHA512
8b9ec3f6f1f3fc5cbf008ff7b6dc4ad5e91c5207ea1daf227e948cf1b8ee5a1de61c4574a3cbf883a6bcfabc8a3e10b31699ae00eca3b8da83442c78102256db

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAMy.exe

Filesize
202KB

MD5
d8f14255329abca54bc0ec5b63a2bf7a

SHA1
d514250190acf68ad59cf4b38813a2febbf53f6d

SHA256
9e6f2f6526e55a76c424142760ea2054ec59b831157a4a1af38ea7378be1a6b5

SHA512
a1368f029e371a6db7e1b106d9484acb203bea2109bba4999edc568cb7caf70fd3938019929ee38f77c7f5c160a0a5d08627329bc9db235a4ca2905174365432

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukUy.exe

Filesize
566KB

MD5
bc75a622aee089234712344c158c1154

SHA1
42101dd8d894e3ee50fabcceb8eeab95cd223fb0

SHA256
a3fc9794013f6bf728e417afb367df2820a2f690791c3e7f3c3b769fb4106e22

SHA512
b9a7a2a85ce6fcd5855bbd16b8e62dadb5308c86aec1ea6e7eaa0e73f6012d906fb52e3a5503444b814d1cc9e5eb7b7fbaa7e8168b697884222c4353e9ff68d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uokG.exe

Filesize
188KB

MD5
d061688181eb527268faa11f309541e6

SHA1
0142f7d57aa2f7234d6c38f6f6b21e1aa0b47899

SHA256
7061df60f74ecd6988c1e9ff4e8e107cf2cb7fea37096b03239d97d8a262b2df

SHA512
0a68e2c398ef1d363826e6326c94459d3f179154eaae1cca69049a93be7b62db9df7d1df4388358cc922f1effb6102478d20b5e6d9cc7ac330558bf8953038ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQgi.exe

Filesize
217KB

MD5
13650065e510e3cca0df090baec11b69

SHA1
a2683c139fd0c1e1a5a7edf811ba65ae248200e2

SHA256
4350eb70f4363b32038c4ad9298b2ef050acb96bd07499152047a9bdab5901a4

SHA512
44e93ec988149e94cb06dd6c8fd60f4797c04eb4b1e7c98201c8d80359b275ab3e064f7b3683b8e55d5cc8ebd59fe44671819be48dc2cbc7185fc61437a92e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwC.exe

Filesize
322KB

MD5
5007d6e00a9d14ac95e6ea867ad28238

SHA1
bdd487fea315be05c2e87b064dafe322cd646859

SHA256
d5f4b7cb175a95b964971d5fc1de415a238256823cb09065fedfa5513a906b9e

SHA512
0392e1a7c4f9398093eeb935dcf31f4cffe777cbbdd1fc2c313a7de298921ebc6e53d81c4afab03c903fecd3989c3e66f0a7e2f6164ed7168eed9d95a73e3f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMEi.exe

Filesize
188KB

MD5
e277a798d0c83053388772e8b9a5a14f

SHA1
0a1b89e8b1bb7156524f633a4b7ddf715ffb9aa0

SHA256
1ba243adf570efa248ba24d107004f6329a792abb97f1147ec90beddefb20014

SHA512
3394133c468dc95b563fb46f0acbb087538fd4bfcd96b20c3c69279e54e74fa59f530a4fbf6ed33908d76881b2455e93bcf2839005c9f1765f1d43062d5da601

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMwa.exe

Filesize
186KB

MD5
3a79b426e91a34d899943739d21f95d5

SHA1
c8a5beaa0f7114555cdcecd1cc43a4265cfa4604

SHA256
151a4c463efcb0d64a9507a3f2163ad8ff3019e736e0481630c1253431dc4081

SHA512
ec66dafe08b12486f3131cbc7117de87963eb7530ede82b74ac935085c2d8f20f7a995059b02e2ec5df98c034dd8fe3e4b82db795a266db5133b693301e19e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygos.exe

Filesize
195KB

MD5
9116f0a14863567826f56efdb30ff31a

SHA1
507242b703008ad23fb2c4b9c158bfae21187428

SHA256
ea554752b4cdc55617ce436f367eb801b8b6a95a40ed0a695cfbc720124c5fb7

SHA512
ab9d0c0bb7d2bc54125505900e4593629f239528be6f5a3d0ab9aec72d3452e183e9d0bc35dcb7279f4632f477a236625a1f5f528b40a33e8186600403beaf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yosu.exe

Filesize
636KB

MD5
b1d3777852c0ba74d6bf8bb887ad6fe1

SHA1
d0264f16a44ff2b977511c55b8f7268fe26c0a4f

SHA256
8891d6bccf7b938153fb904321a5cfc81b02bec712aa3ab139c8bde2f45e6ca5

SHA512
1f96c382df44c80381c401b0ddd177cb7af170908b427ae4b496bf2d942459c97bbaf7d35eeaff17fed06cee43d12126b13807af8357c175343222c1ae1e4fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMi.exe

Filesize
318KB

MD5
0f5609e644201e8a6fdf92f06da2028a

SHA1
20bae9c25f6d87f4c24a323c3135848b4586e452

SHA256
9f4b4a5584d9376416fa09384a5d005bdf81d54c693082812d92f20f06c9d592

SHA512
3515d85751c24dcd488a740bef3e6a77b63e8e36d85d313b186c8df72f65180aac03d497be513caa034bf3657161de1537b6803960272c7501f097741cafdd4b

Download Submit
C:\Users\Admin\TwUcgQcU\JSwAIcEY.exe

Filesize
188KB

MD5
dbcf4d5ca9346bd7762dada8bd476cb5

SHA1
ff49a075fab9e7dba88a89785b30f8538fe29dff

SHA256
103d254ff10a4ed41d2eb13c679ff86cd3977c0f4c573f87e74fbae540875d56

SHA512
2246bbbd2648c7af774e749c5f40e434e70ad67c6c3c45051f88bcbcecf5a3ad4b80308dc5bcd2ca831acb1e8b6b4f512fded0461c93152251b1829be85cec76

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
547KB

MD5
b46bcbba6fcf40f92f5473779803ee88

SHA1
09b5c23f1084c084cd9ca307b23308a02d08c649

SHA256
7176f658f6eec6c4549bbead90ac43f4506f9ebf16aebdb50d3ea5321fb8bda1

SHA512
40a280a03098a2fecc170571cb80c1c3cf6f3e0f40c7b51f3fea13e759d8f6f9bc299dea61729f89b0bc6dd7e09595594e5112de39ad4470b10fe08d1fc34f34

Download Submit
memory/228-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3392-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3656-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download