d3499ba260ca5d94830789511fc893a91504efd99d5d2b42ce0ba0329be68476

Analysis

max time kernel
7s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f1f60cbae8c537856ec60153d58eb0f.exe
Size

484KB
MD5

0f1f60cbae8c537856ec60153d58eb0f
SHA1

8c9cd4230110d20ab1070997852dffafa8c902ec
SHA256

d3499ba260ca5d94830789511fc893a91504efd99d5d2b42ce0ba0329be68476
SHA512

f7dba680cfc2652ed3f028add7d562f2a29477b487cdb1fe097ad3a8f98f3c962695d2b8ffab70fabfb327adfe491a81ab5a3be1376bc7fe6d39fbde2945647f
SSDEEP

12288:Tjol5Ksngu9L9Zumrf0KjuH0T2tMa5fUrhOoxs:TjolwwHjf7Q5txdNoxs

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 20 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4600	WkIQYIUM.exe
792	baIkgwsM.exe
232	raAgQwkY.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WkIQYIUM.exe = "C:\\Users\\Admin\\ayEAEYoE\\WkIQYIUM.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baIkgwsM.exe = "C:\\ProgramData\\AmUAYggc\\baIkgwsM.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WkIQYIUM.exe = "C:\\Users\\Admin\\ayEAEYoE\\WkIQYIUM.exe"	WkIQYIUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baIkgwsM.exe = "C:\\ProgramData\\AmUAYggc\\baIkgwsM.exe"	baIkgwsM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baIkgwsM.exe = "C:\\ProgramData\\AmUAYggc\\baIkgwsM.exe"	raAgQwkY.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ayEAEYoE	raAgQwkY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ayEAEYoE\WkIQYIUM	raAgQwkY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3460	2264	WerFault.exe	93
3236	4964	WerFault.exe	393
4932	4500	WerFault.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
536	reg.exe
3456	reg.exe
5656	reg.exe
3948	reg.exe
4148	reg.exe
4752	reg.exe
2800	reg.exe
5000	reg.exe
4524	reg.exe
3784	reg.exe
2800	reg.exe
6084	reg.exe
2896	reg.exe
2700	reg.exe
2432	reg.exe
2356	reg.exe
1160	reg.exe
5520	reg.exe
5476	reg.exe
2564	reg.exe
400	reg.exe
5724	reg.exe
5536	reg.exe
3580	reg.exe
2200	reg.exe
6104	reg.exe
5216	reg.exe
1660	reg.exe
5212	reg.exe
5640	reg.exe
5152	reg.exe
3376	reg.exe
2324	reg.exe
2724	reg.exe
6104	reg.exe
1304	reg.exe
3776	reg.exe
4152	reg.exe
5200	reg.exe
4660	reg.exe
5908	reg.exe
5328	reg.exe
372	reg.exe
4660	reg.exe
4668	reg.exe
4572	reg.exe
4960	reg.exe
1040	reg.exe
3912	reg.exe
4896	reg.exe
5628	reg.exe
1160	reg.exe
4032	reg.exe
5932	reg.exe
4612	reg.exe
2528	reg.exe
208	reg.exe
5544	reg.exe
5476	reg.exe
5608	reg.exe
5740	reg.exe
5672	reg.exe
5148	reg.exe
4684	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	reg.exe
1004	reg.exe
1004	reg.exe
1004	reg.exe
4932	Conhost.exe
4932	Conhost.exe
4932	Conhost.exe
4932	Conhost.exe
4876	0f1f60cbae8c537856ec60153d58eb0f.exe
4876	0f1f60cbae8c537856ec60153d58eb0f.exe
4876	0f1f60cbae8c537856ec60153d58eb0f.exe
4876	0f1f60cbae8c537856ec60153d58eb0f.exe
3976	cmd.exe
3976	cmd.exe
3976	cmd.exe
3976	cmd.exe
2588	0f1f60cbae8c537856ec60153d58eb0f.exe
2588	0f1f60cbae8c537856ec60153d58eb0f.exe
2588	0f1f60cbae8c537856ec60153d58eb0f.exe
2588	0f1f60cbae8c537856ec60153d58eb0f.exe
4768	0f1f60cbae8c537856ec60153d58eb0f.exe
4768	0f1f60cbae8c537856ec60153d58eb0f.exe
4768	0f1f60cbae8c537856ec60153d58eb0f.exe
4768	0f1f60cbae8c537856ec60153d58eb0f.exe
1008	0f1f60cbae8c537856ec60153d58eb0f.exe
1008	0f1f60cbae8c537856ec60153d58eb0f.exe
1008	0f1f60cbae8c537856ec60153d58eb0f.exe
1008	0f1f60cbae8c537856ec60153d58eb0f.exe
3664	Conhost.exe
3664	Conhost.exe
3664	Conhost.exe
3664	Conhost.exe
4160	0f1f60cbae8c537856ec60153d58eb0f.exe
4160	0f1f60cbae8c537856ec60153d58eb0f.exe
4160	0f1f60cbae8c537856ec60153d58eb0f.exe
4160	0f1f60cbae8c537856ec60153d58eb0f.exe
1860	0f1f60cbae8c537856ec60153d58eb0f.exe
1860	0f1f60cbae8c537856ec60153d58eb0f.exe
1860	0f1f60cbae8c537856ec60153d58eb0f.exe
1860	0f1f60cbae8c537856ec60153d58eb0f.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
1984	0f1f60cbae8c537856ec60153d58eb0f.exe
1984	0f1f60cbae8c537856ec60153d58eb0f.exe
1984	0f1f60cbae8c537856ec60153d58eb0f.exe
1984	0f1f60cbae8c537856ec60153d58eb0f.exe
2148	cmd.exe
2148	cmd.exe
2148	cmd.exe
2148	cmd.exe
4684	reg.exe
4684	reg.exe
4684	reg.exe
4684	reg.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
112	0f1f60cbae8c537856ec60153d58eb0f.exe
5112	Conhost.exe
5112	Conhost.exe
5112	Conhost.exe
5112	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 4600	1004	reg.exe	997
PID 1004 wrote to memory of 4600	1004	reg.exe	997
PID 1004 wrote to memory of 4600	1004	reg.exe	997
PID 1004 wrote to memory of 792	1004	reg.exe	996
PID 1004 wrote to memory of 792	1004	reg.exe	996
PID 1004 wrote to memory of 792	1004	reg.exe	996
PID 1004 wrote to memory of 2264	1004	reg.exe	779
PID 1004 wrote to memory of 2264	1004	reg.exe	779
PID 1004 wrote to memory of 2264	1004	reg.exe	779
PID 2264 wrote to memory of 4932	2264	qccgEQwE.exe	802
PID 2264 wrote to memory of 4932	2264	qccgEQwE.exe	802
PID 2264 wrote to memory of 4932	2264	qccgEQwE.exe	802
PID 1004 wrote to memory of 4900	1004	reg.exe	994
PID 1004 wrote to memory of 4900	1004	reg.exe	994
PID 1004 wrote to memory of 4900	1004	reg.exe	994
PID 1004 wrote to memory of 3912	1004	reg.exe	993
PID 1004 wrote to memory of 3912	1004	reg.exe	993
PID 1004 wrote to memory of 3912	1004	reg.exe	993
PID 1004 wrote to memory of 3384	1004	reg.exe	992
PID 1004 wrote to memory of 3384	1004	reg.exe	992
PID 1004 wrote to memory of 3384	1004	reg.exe	992
PID 4932 wrote to memory of 452	4932	Conhost.exe	990
PID 4932 wrote to memory of 452	4932	Conhost.exe	990
PID 4932 wrote to memory of 452	4932	Conhost.exe	990
PID 452 wrote to memory of 4876	452	cmd.exe	989
PID 452 wrote to memory of 4876	452	cmd.exe	989
PID 452 wrote to memory of 4876	452	cmd.exe	989
PID 4932 wrote to memory of 4032	4932	Conhost.exe	988
PID 4932 wrote to memory of 4032	4932	Conhost.exe	988
PID 4932 wrote to memory of 4032	4932	Conhost.exe	988
PID 4932 wrote to memory of 2456	4932	Conhost.exe	987
PID 4932 wrote to memory of 2456	4932	Conhost.exe	987
PID 4932 wrote to memory of 2456	4932	Conhost.exe	987
PID 4932 wrote to memory of 2060	4932	Conhost.exe	986
PID 4932 wrote to memory of 2060	4932	Conhost.exe	986
PID 4932 wrote to memory of 2060	4932	Conhost.exe	986
PID 4932 wrote to memory of 3896	4932	Conhost.exe	98
PID 4932 wrote to memory of 3896	4932	Conhost.exe	98
PID 4932 wrote to memory of 3896	4932	Conhost.exe	98
PID 4876 wrote to memory of 4128	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	100
PID 4876 wrote to memory of 4128	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	100
PID 4876 wrote to memory of 4128	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	100
PID 3896 wrote to memory of 2512	3896	cmd.exe	981
PID 3896 wrote to memory of 2512	3896	cmd.exe	981
PID 3896 wrote to memory of 2512	3896	cmd.exe	981
PID 4876 wrote to memory of 2832	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	980
PID 4876 wrote to memory of 2832	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	980
PID 4876 wrote to memory of 2832	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	980
PID 4876 wrote to memory of 1952	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	979
PID 4876 wrote to memory of 1952	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	979
PID 4876 wrote to memory of 1952	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	979
PID 4876 wrote to memory of 4988	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	978
PID 4876 wrote to memory of 4988	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	978
PID 4876 wrote to memory of 4988	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	978
PID 4876 wrote to memory of 2356	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	977
PID 4876 wrote to memory of 2356	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	977
PID 4876 wrote to memory of 2356	4876	0f1f60cbae8c537856ec60153d58eb0f.exe	977
PID 2356 wrote to memory of 2004	2356	cmd.exe	973
PID 2356 wrote to memory of 2004	2356	cmd.exe	973
PID 2356 wrote to memory of 2004	2356	cmd.exe	973
PID 4128 wrote to memory of 3976	4128	cmd.exe	783
PID 4128 wrote to memory of 3976	4128	cmd.exe	783
PID 4128 wrote to memory of 3976	4128	cmd.exe	783
PID 3976 wrote to memory of 4440	3976	cmd.exe	972

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
"C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe"
1⤵
PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsgwsQcg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 332
    3⤵
    - Program crash
    PID:3460

C:\ProgramData\TwAQYskw\raAgQwkY.exe
C:\ProgramData\TwAQYskw\raAgQwkY.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqIYokcI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1156
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4472
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuYgcgwk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEosgoAk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuIskEYE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqIUIUog.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:4292
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5100

C:\ProgramData\zQIAYwYM\QewwwsQU.exe
"C:\ProgramData\zQIAYwYM\QewwwsQU.exe"
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4500 -ip 4500
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2264 -ip 2264
1⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqAQQsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSkoYAIA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5576
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5560
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:5852
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:5356
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAEYQokI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:4944
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5580
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5460
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:5676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:6032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcEcgwgY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5536
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5856

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DikssQEg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewIIYkYs.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkAkwkgY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      PID:5624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:3456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMUkIEww.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5416

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYwIwkAc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5656
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:376
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgYsAwYo.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3784
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
        
        C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      PID:5088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2060

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5832
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:5956
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCokMcYs.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5532
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5212
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:5440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IswMswcI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5252
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:5544
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      PID:5520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:5260

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUwAkQoE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:6020
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5764
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImIEEYcs.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGIYEkAY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1160
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:1636

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUsIQUkA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMMckcoI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5520
  - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
      C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
      4⤵
      PID:5600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:5164
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgcEEIQk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:6104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5244
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgMgIMkE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:6084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:5864

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCIwQgMU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5344
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeAMwcYc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:5752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkIAwYgo.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5632
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWoIkMQM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:3188
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:4392

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5848
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SksAsUwg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:5476
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:5152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:5824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAEYwosA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOsAskcw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2340
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
        
        C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      PID:4016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:5976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkEEsAQc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      PID:5780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
        
        C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
        5⤵
        
        PID:5840
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:6100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueQEscAw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:6076
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1008
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocYsUsAA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWkEcoEM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:3460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:5000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCEAkcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:5460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQEEQwQw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoMUcwMg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4664
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKIgIQIg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWggwogc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5480
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3604
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:5484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQUosAAw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoQgUwoM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGMQcsIw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:6104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYUIYIAU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKEcckMI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3236
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5200
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4628
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sykQgkgA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:1992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oicQcswM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5480
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaoEEUkI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWcEEsoE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSEogYAo.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4668
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:3380
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:788
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1660
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:6108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:5932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:6024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5908

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMUQUccw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:5780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYoUAwAY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:6080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeMgoUwM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5912
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5164
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqcQoUMU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:6088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUUoowEw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQcQgUUY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5456
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5248
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5332
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIAwckok.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4028
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAkAEUso.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
        6⤵
        
        PID:2200
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2836
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2800
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
        6⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4292
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:5756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5672

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:5624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:6088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XggEEwsY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:5148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:5200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYkUMsUg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMUQMQwk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4896

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAgcIMoA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQAYQcYA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
      C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4660
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiEQsYoE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2200
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4980

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2204
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:536
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2356
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 288
1⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 404
1⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4964 -ip 4964
1⤵
PID:4580

C:\ProgramData\YaEYIkEU\socUUgUY.exe
C:\ProgramData\YaEYIkEU\socUUgUY.exe
1⤵
PID:4500

C:\Users\Admin\TKEIYoAE\qccgEQwE.exe
"C:\Users\Admin\TKEIYoAE\qccgEQwE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWYAkQQI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUYsEAkM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:5000
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGUcEgok.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:3900
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swYcYAws.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4900
- - C:\ProgramData\AmUAYggc\baIkgwsM.exe
    "C:\ProgramData\AmUAYggc\baIkgwsM.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:792
- - C:\Users\Admin\ayEAEYoE\WkIQYIUM.exe
    "C:\Users\Admin\ayEAEYoE\WkIQYIUM.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4600
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1272
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4940

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwcwMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2700
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkQQcoEY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:1984

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:4684
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUcwoYII.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEUQsAYo.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2832

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AmUAYggc\baIkgwsM.exe

Filesize
74KB

MD5
3bfed86875d476f81224d0c1764553ed

SHA1
33a76edd9430b021f123885a29fd5f023cfde4e4

SHA256
8900055f1aa9d98ed4eba79b0a1abdca89d2e7eaede6360062401bc8445b303a

SHA512
9efdfd41199d43c3b821ead161c3caf131bfecfd7fc9d43e19d40aab193ee46cb133a7006bf0023583fa1f172774394b0816056b6be86d76ecb82142450ac126

Download Submit
C:\ProgramData\AmUAYggc\baIkgwsM.exe

Filesize
117KB

MD5
2cc3875be61fc1c9470e4a3daabfe090

SHA1
1d09548e2d8056f3677533291cce19cab6d7cc01

SHA256
2b48894f52bbeec9d6e848556ae66eb134373d72c466088c19c2fb31d9a45746

SHA512
db6ef9ddf993867c8616a5b582068e8d9d824ff4df3969f79c3b9ffc312e12fb6ae620f246d78b6ddb4847edbfc88fffa83bb003edd32cfbfcb71e07e7e40736

Download Submit
C:\ProgramData\TwAQYskw\raAgQwkY.exe

Filesize
152KB

MD5
29b94d5b3b0eabd543f7d18ca6cd7425

SHA1
53bc9028e74f6f8d83a7d91a5c083dbec3ca6e31

SHA256
0d7def9ef4b692eb15b2a8878f213db009523a27f739dd3baad853eae26aa835

SHA512
162065ec247edef4bb51cb2103bdcce2170732049918956992760e08eee9d1541879255335e55a148ba019362ce6e9ee8e0a222a6d5d9a641021148badd3d207

Download Submit
C:\ProgramData\TwAQYskw\raAgQwkY.exe

Filesize
145KB

MD5
bcfd6c1136cf4c71c0556831de644ba0

SHA1
446b87e345f3b777c09e53acd337cc504278f384

SHA256
dee4daea5d9dc5a23010ea6870a543ce4fdb057ffa0a0f169e0b1b0562eefce9

SHA512
22edefc4b575f8618d28df52c482677e750eb0b36f2d009baf83cdcd6d665b51739c0dc3ea08b8d0db92dc84e7080499c67d79d47ff5975e367e6ee3a20e2cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
2KB

MD5
77922dca18c4bbc69148a02707972f8b

SHA1
5a06abcbc44842af347017647015c44c2ecc601a

SHA256
5c91891c480e15cf5941f1e516c90e19df41534566eea0119c46c10f515824a7

SHA512
16756b9f10ae42ba8ad27f192e9c55d56e9b5394056eb862ce0d8021676afcb1f398f544fa895da078a0ed3dcfef4a87be4a29c45c605ea1085f66ee3773c315

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f

Filesize
27KB

MD5
552bd13c827814adb23cb1de82f798a4

SHA1
54584b1371d7fce52158eb76ce11a93177a857e2

SHA256
d1b68757c4c5269e6c9b6d3447ee80901645725a0a4a704fb7fb45d2e3d713cf

SHA512
4f0490ab500596b92cf355e225a5e765b603a03218398499249eed2416633e51bb631af0491ddb96d03ac3ef179f2786a63fbafdb901c23e8af1b18246f66301

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f

Filesize
25KB

MD5
0f690c443d2b2e4c6a7e27834fb246a3

SHA1
e4511816b5e3747cac03c71c7419186cabcd54d6

SHA256
859e2aec8feabd645d2d5278340bf58ebf852cfa97871b0406202dd63a965239

SHA512
16370d1f572ae42a462375c7742c8ce7fce4e8617d232afae203f6949148de2848cb8576a6c6665fe294438d25bd00475ee231a2b77a60bbcba29e38df274dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f

Filesize
48KB

MD5
b0de08b6aada24cdd3458113d175f1a7

SHA1
225797b52f320b3efb2643c55fe55ab3a5618ae9

SHA256
40015814487b93a8372f33284d45586739a4a1e9d2b7961ab8c6d4d9561d10cb

SHA512
fd59488e0223f49d66bb3ca7a70e74b7ca2052769f78790aee0682e0306f6e9421d28ab9a34487bd8934571cccb6798c98040b25934dfe1f0a13c7ca490ecbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEEs.exe

Filesize
41KB

MD5
90322504ac8cbac27dfbb4c774da80a4

SHA1
8eae592de88c950094e497ac97792831e030270d

SHA256
b140a70348cdefacbd0b8dfa401fb5a38f24f65e7c8c9d2836f98437c10bdcdb

SHA512
487328e5ffabbf7ffa8d656e7e3d24ffa310019f3589e38f4f13925f018ad403b99856ae6af2ab7c3c4688d63bd7363bf733b99e412c2aa7eca805859d12d2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIAC.exe

Filesize
858KB

MD5
285c8160086c638a39141ed69dea9b1e

SHA1
eaf945c2cd28d95656e3b5fbca0a0aa4db487202

SHA256
2d66dd7c3fd3c3646ce35fca30fd93794fb498faf4b04b0527d9b3c95543f569

SHA512
0b2f6564a3636a4a7055c798df029d2b9f394d7c15cf50aaf32d28324fc546a7064ec42b80d9a48180f14fdf4a4ee48ca09c21f33a5cc531d67a0dcac4969e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMcu.exe

Filesize
37KB

MD5
7516f9cd20e6de4f0b331d809f83b6f5

SHA1
a92c0a6073890be0aadff50d30be212310844856

SHA256
a1dbfd113c58f250550a877b673c2c7e18dd58bbe89d6a5aa0ab0e80c643941d

SHA512
7ab9979d2d23480a155c41289ecd456c55a13ee74fef4badc5370d5a80388a032ff0c3e032eab8a3316eec8a62cfa7d014b8b7e2167de8a0d8d0f35916d402b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsoO.exe

Filesize
445KB

MD5
d0f6790bc7fe16fd176eae4976de87e5

SHA1
06cbd8edfefcaba69a64947cc16bb9bb7243dbb3

SHA256
4f4ec3c7a413899079832904eb745d7496387176fef747309f76b7c2d4b069dc

SHA512
d623d038775659aca01f0bdb2dc15998e450adfb947e07e4d527db340651dcc6c8c26fb13e76a9713330ab70bed27809afea5dcddf2918b5a7cc2d6376137940

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwMi.exe

Filesize
454KB

MD5
8c61a3bccb440e6e1632953050485d3e

SHA1
0465b4b850724a21d06be1c1c80ad20a013ae930

SHA256
8452dd030de3e22ca96b3e63da8262378bda20998dba81de571b37ce8501414e

SHA512
1c77ed98c9ab54798bc2e0aff54892d713dee065684ff50ead229da7d0cb17854d6004046d015fb36c24e7db276334d1dd5fefd0d524d44d0132b1f02c99faf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEMC.exe

Filesize
70KB

MD5
e3656a10d73ad4999118a9b194f851f2

SHA1
926630c6149434dd0a13d43bd10738bf6e01920f

SHA256
534ff3309fc7b9689191872a59c69398d59f1c29e879ec39c99203be4218440c

SHA512
3909c25848b3a352409bbf66d024802904054e28b75a804f45f4e8294f9869cfe19b747e1bb19d9069d3c9c54197002908251d6a796e55244f1067d9cfcb5ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIQO.exe

Filesize
23KB

MD5
30fa5ae999a1e25e1a9ce1d7a46dbe5e

SHA1
1e2c79bf4ad3b5cf9381e4a19cf802a71e2aece1

SHA256
74e93e360e2043b97105eb5215a8e82e4fe6c3c8b6b46823f65e68a0552a4332

SHA512
18217bdb7b793996372b17bb02dc6f0599c0f11cd3704e8e4537b6a905ba1dc69c1316344cda826f4c6e3312ace77876e374b975e64b05e221a44b1ffdafa709

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQAU.exe

Filesize
54KB

MD5
0ca7e420634165ab12b61e1780a2104c

SHA1
8166ac6fe2d454e7996cea317fc990b8cc81791b

SHA256
abb525529597693770fe288cefdb99f5caf15f570068d5054a1879dfec9bf9cd

SHA512
86fc6bf7939a3bbbf22057a357af6b7e3d1fef8160c7ec4a6c893c3c28a81a02e4178b744518e28a7ba31aa4502ab956e5bfc03ccc96dc0d4edde043d635afa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccss.exe

Filesize
441KB

MD5
1b2a161457d28c28d7608c51c7209c95

SHA1
59af4fe0bc3e256ea9b213f962fd83c8898588a6

SHA256
b74054b47da5de38ed8add083debcb9612fd086cc573836dbd4fe8031b0f6ab1

SHA512
f1e58edea84042aee9eba54690e4156057b8c65d5a96b1cc5ba0a9f43f65d3f4bb4620e6a40c311f9a35d5f94b8327da71522f366aead714937d95952216e700

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUAs.exe

Filesize
25KB

MD5
861b11c995cba143c3a794cc4a0ac8ef

SHA1
fc45b54e78ee1884e4842a47e3382a7de2fbc9eb

SHA256
6dc30aa3ad23001965f0233256535d074239b71bacd39fe9fc23050d97835758

SHA512
682f3443f14a807dec5b3391b64420a8787bfbd39740f3c81cf1ccf3ce1aca2fcc8573cb401e2c94a35b9ace767ecd9c1fa94962efff0ed53c82b6b848eb7434

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgQE.exe

Filesize
886KB

MD5
37172e316cc8e71ef46aa38412409ce4

SHA1
bf4ec23b2e78dde416ebd6773f2f9388f2131cfb

SHA256
5c34a29d792829466601ac123447ce916c5881f9a43cb47b6900783833f527cc

SHA512
502146247acadfb46a19f63c9d86e82b02af9dfee0716e3d952693734e71df99e3853ab3a89dc84b214f3763ba31259bf64420994bc6359f27cecbbfa11cc9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEi.exe

Filesize
898KB

MD5
f755e5e20901a47ece78e59b6000f85c

SHA1
2d5a378941067f4da6e76b5874369314f19fd946

SHA256
20f07481aa4a23a0f203162ff722b640e792a874f197c133da67b51503e193f9

SHA512
f799c5de516db5213408219245a973d0bcd8e61b1dcc1c8868037c3f266b99588e6eb3c5187202af17ef944ff06c49228db6d21f3ee7a02cf70e4aebfc7546e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcME.exe

Filesize
474KB

MD5
566e4c8c3cc8b44df548e7d954b25bc0

SHA1
e34f998d840d858b9ae248f54f6520d101e689cf

SHA256
d3b820e2a6d2769307cf62e4f685953c35ee1ab9ed24d3d8c20268e96fdf49a2

SHA512
9d305071f5ae7a85bedd1fd7d03f6d0ddc3bc68bf0aa6cd9dcb6abae321f956107616b22af7dfd09d9524926dcd35a6017e3594ec3cfad603abcd19e0b9d183e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoYI.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwYa.exe

Filesize
27KB

MD5
bbd516a10c4bd634dd804114a5a0578b

SHA1
ed8c5a7bc5cff63554213baeeea59c874a811cc4

SHA256
6f80446140dd5af4a34cf2a37ba06f18da871727a0ef1c0761eceb0deaf85f95

SHA512
b8359d912621a5a115625c11344d27fc9716688f830f29e6b12052799e81aa03f600b960097439bfb93e412da221b77dbf41a09c3a6f04056b5babf1c6f65bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEww.exe

Filesize
443KB

MD5
fc325966e53f2d9ac3818206e3668c8c

SHA1
37d1773dcd0790746923bc1b500772c7d7fe1cf8

SHA256
579cab53b2ee1ab9d8a7896ee4acb219001bfb31bb36d75f9cac8bef3505a385

SHA512
78d1728e291f3f695147c2a95659f2f8a2d3d47e2f079fb67b04ef67abc13c349566cf624211f3cbb684f8ef3a4d41531c7aa100d9d6554587a43c69d058475f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUsC.exe

Filesize
438KB

MD5
4bbd11156b4b8698c69d2e143fc70869

SHA1
945696baf816668c0b202f238ab50a534e5ad3c8

SHA256
da890ced146b182e7b5bdf41ad7a631008af6a654745c5aa722104d3cc421af7

SHA512
253dfc9f82dbeb51d8af90216991a3d607ca1916f96bfee530bb5ac91fe945b9c08c2604d29a02da0ce0c9cf61273eadc477bfd3f3af3965152253ab5e3ebc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoUw.exe

Filesize
30KB

MD5
247565450f34e1f0d614d670d3dfcf3e

SHA1
099307f34044c532fea8c9ce0b6dab3f835da9d1

SHA256
aadb35a2b41a8383b239edc6a62d76c85e2dd9c7f1d2e4d98c8c2162f13a67ab

SHA512
57dd8887803966369d34ed84c0272f66fe524e00fd777b0bff0f0762780a94eb932d71e15ecfdf0ce4027bc7eeb101a393caa9bff579df1a21590b20d499f802

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgoc.exe

Filesize
92KB

MD5
0aa643b5397c3fefc841e6be9f3526ae

SHA1
a33331a06fb8c3ef7e288b64f686a124f593cbea

SHA256
a000528cb7cf7e32cdd1a7d823fd239ba35fb061e7b52fabac873f586fcbe6df

SHA512
e40a46f4b3aadf4b2dd1989ff782a193aee036aff349a24c8098eaf76bd5c257407f93c67eb0e2ddad20c2553fdeb3068ade20b497f0106f7fdf6bdaa5f320a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwsC.exe

Filesize
17KB

MD5
e361f08dabf8de3334dc2d518baf47ee

SHA1
45581dfa903e16970d3c02b9b52b3c63dc560467

SHA256
24ca85bb4c887d4e9ed46f0479d8f544637d79015628f5a1889c451f68538bda

SHA512
4fd847d4f1c0383e7b8d88df4dd66fd89efa1ac87d8e95452800b729d3438d1bfa71151bc625933ba80839ce801f594c1e086835724ea3a9019855948495440b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMoW.exe

Filesize
47KB

MD5
db98e482d6eac1e7051bdb5be980c600

SHA1
30934974f561db337d33fea82819afabcac7c8e7

SHA256
39c9b3db0c7a99fa0aab7b5ec492e113745f811d5fb9b3e5c5873b93afa52894

SHA512
98649ea27d00f263a7626fe9f2554a70581cc891421b1640e3c0df976cde19926dc03cfc376445424dd0ba53b07f4c872d5f24c0e1c8c4f3475ad7e0d4112f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMsO.exe

Filesize
52KB

MD5
42ef350c52da15d2baca1a6d55309659

SHA1
d5391961659d8d7e2797f0b27bb59202b530c7c7

SHA256
7eaa1f6e90395e5bb3a2069b7d1fdb58d54086fb97e6df4e69b14d96f6c9620a

SHA512
2984c73b0e998639ffbea07fc32c5228cb2cf65a0fe03ad77d47ea37377101c8cce5d6b661fde1024465a1ecb109eb634da36e85295456e41c652a377000f3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUAG.exe

Filesize
17KB

MD5
895d27e50fb4b27a073869f34efd0f54

SHA1
c38deccec55c08bad41d1cdd5e37b6952671205c

SHA256
b5d5fb87b50f7d6680ccef8874a04c860198b96e308a933b06468dc2943c0cdd

SHA512
5b39244e77ffcace23c7b7e0b36748dcde0d59b7ac5cbabad73357e69823d5c1bb7b6571161b254f790eab68e9051f40778e10b633fd22c87c40b389fbe9423c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgou.exe

Filesize
1KB

MD5
e7d3fa9516239816bb9ba6788e4823b7

SHA1
a30dd32ba5c8120a4bc913bd9699473897ff98bd

SHA256
96a3db2977002b420e68e1d2df8fa6401ca473f0ca30bea864c6e863b66a0304

SHA512
d414f9504311de8960f4b2ef4e24c109cc4da12f1133b9fc425e69a78e70b16c584c6ca07d538f868e81c927c8697043970b47b45bfda1607c699fa42d69b084

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKoQ.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUMM.exe

Filesize
435KB

MD5
5cb29698dd0f019dbbccd94ac14d620d

SHA1
8b8dd6f2e79a0679b77ad243980f4630e44c7490

SHA256
fbb7e0d955c0a07b8865233c225c0cec5da422ac2d66a0a355d8596a7b0f8137

SHA512
4cb0e128f19582a388959fbbeb5af6a5c38b764c18e53de39342b6ffaf8f5769962e9b284b825eef8390d297cba2f6880cce2d4f71878028e5f1cc8b39188e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sokm.exe

Filesize
37KB

MD5
03da87f524ee7492053e30f394eddc29

SHA1
51935f6b7a62ef541b001d05d07fcbee9fa4baf2

SHA256
8b3acb454314b20490e02ce6196a721bcf5fafdd8e8ec6b079525998c8b7f7f5

SHA512
14de9c8fcdb636eff1dac943139a8ceddf037fabc1443a3a9194def6c22fb5774c498e3099f223339b67cea8338e4a7745093805a358f27039c066ba2cf0dd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsMw.exe

Filesize
29KB

MD5
7ccb4c588586892cdfe9ebc16a7fc35a

SHA1
7bb245fa93c75448a6728a8535a368513600ca7f

SHA256
37949d289e27ff074f236454a467e93f82dab8da3fed6a74357e398ccbb59d62

SHA512
09a20fa349d4b68eda6ed696d145e8fb9d0647f8dc9652abd52de08234e5540c5702b629f6bc70d0e7bbbbb043970125b452bfbb38d9a210277332269edbf4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIo.exe

Filesize
817KB

MD5
6ad9d21035186522d2e04e8e5257e397

SHA1
ffe1b503d8aaec57b16a3a58389401202ed7f442

SHA256
80454957eb1c2f808e1cb1b045e4871864245974ee49646d32d169a30ced424b

SHA512
e217c1456b9531e2fc18d5c0e8781a55b15129d2b64b926f5a0ffa3f052ebca8fb622f51bab3736ea1c7519bf6d3b56f800deedcecb3e098a747995bb7b3d7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgMc.exe

Filesize
440KB

MD5
a97e0f7b449bf948024d3ecd08ac7e73

SHA1
68172f7de827a3e59d8d6bd282a770f614c467c4

SHA256
3437ba748c1e2d16a9fe0708fdc59fd3448f642226c3d94778b1a9a6394e3a5c

SHA512
62295c8308019eec377b4eb753004e1bb88382c58ab96a95408aad739928018e7d778c8958ad9c7a775e5581d2e5a048a8898f4581cdaff5278090695f51908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoAW.exe

Filesize
22KB

MD5
5c6cf7dabcfd29f0abbc720913f27937

SHA1
ae8102b586c8aba6f8caabeef92f582a4c0f9c5f

SHA256
8a15322fd23df6875593774ecd5f9e872a8028df6746268fe38ad42c17d0b8f7

SHA512
448eff1e3af3a037bc64e43b47f0a0fda5cec5080623d19aba0612dcd48db7b84062a020c30a5da398ede6d6bf9f8bdfaadb25769e705eabd3e015553b04f6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMkM.exe

Filesize
437KB

MD5
5df258d3022e8714839de1b5d481fab5

SHA1
5c51d8f2c3caad35f097ee4a8619ddd8d30e6460

SHA256
afaa5bf3dff22bcaf13b498485789f25a7d9b652c0831a96e58e4bd66da1f8ab

SHA512
feea0e1c358b15cb2aada2f08e95e5a38b0331775620f6750ec1acd2389c8cebdefaedd046ccb721c4c736372cfde46e1857a2472c73439ff9068799e241a4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUUW.exe

Filesize
433KB

MD5
f319ec3ea0b7839f61bfdfa9ccf86705

SHA1
11478a752d9c7ac74d9214348f32b10acf77313f

SHA256
0259dd3d183c7ecdc1d843b5d316876c205ecf07a6d3d7c1ce887a31e4fa56a6

SHA512
3575f5d6b6e3606ad17ef1630d47d13b9803f1903c1df1414e5e421a842ccfeea7466e238bd52d92fe03f4da8e152b8b66e164a275bfeb53f7db1c780f9415e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUM.exe

Filesize
37KB

MD5
e513e30552161ec9be6122cb8adab17e

SHA1
01efbc77cac4a095271dfd283205bc683c303bd3

SHA256
54f6f92a136e5a1d2aab47b24c59ee5bf713dfea0a65eae69d7d12c8d0317cac

SHA512
0b70a81f5e599d0505d019371317f293493edf5c07690d92dd3d33966a6344ca9c3a5240e02901263c610fabd25496c50bf77a0862174a15bdf77c341a324938

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUsE.ico

Filesize
1KB

MD5
043c4255812ec0ee85deb971a1fac69b

SHA1
a2b1bc2360e5a89ade29a15e82452d18d2344167

SHA256
7b64481a0fa48c854b30508fbf23c63aab081b7fd09233915760a7fc3a677f4e

SHA512
962069dacf2b59e42dda080e45c9d35fc2f2cbe957552732faabc6e51e72c8312b499c97d7a807496a7c25a81ce69cfefb05c642a995a2de84d0aa0ae3482880

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoES.exe

Filesize
46KB

MD5
1d22d267e4eba362a1e5495452f208a9

SHA1
459a1eaede0b034faaa7d80fac6f86a7a92d7e76

SHA256
65fff7c647bfd415fb0e68d71501aeb03f6a5668d5c132351173e59311907264

SHA512
1861409199f7ad0baf7e23da6fc8648ff60e7fdf1fffb0b2920586ebc0c4f5d24f032d248815c5134f192310401229980844185ffe11b6ebf526c71bd225265d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIMG.exe

Filesize
19KB

MD5
cce627664014e5a921dd58f3e9b4a9ca

SHA1
ca18d338f7474487fc6bd9964a6a0caf1002b51e

SHA256
899df763b8c39566ff663efba3ba66cb193cc7877b346b49b38fbb95d006d38d

SHA512
a2b31d6d4ad72de4053925e05084dda1a25894c7f49454efa457c61182b030e6476a5b4a989d3312e2135569631c4a98cc010e8dac7643773964d6499479a235

Download Submit
C:\Users\Admin\AppData\Local\Temp\aksm.exe

Filesize
24KB

MD5
233b62e16b13802dd2344ae51848847d

SHA1
a9228ddf36a8aa3bed7d647c54c05a7a01eba95d

SHA256
a41feb3d239d7247b8a2f26654dd32719fba7ba6be612ba37a26f97dc938efcd

SHA512
f8bee51947ef4d64ef94e5a33307baf68f8f912dc2205b6e006bbbb9a857e686683534bc59f69d51aca8babfc52337b0d8d5104b0b8c96e313029e2beab33983

Download Submit
C:\Users\Admin\AppData\Local\Temp\awMO.exe

Filesize
858KB

MD5
1a9106d8c8e7518d5bece9192081ef74

SHA1
5a83819426210282f26204ea8c209f7692335a2a

SHA256
34d24bf28bcc6c398c41249f313476592f36e0f9f296406b085fbd161e002c59

SHA512
4179f69fd9dfff2edaa966dadc07e9c3206e8cb313905684c81c6ef6ca276490dde4022b3a30964b068f225d881e750bf14fd0943364ba2f15a178495332875c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAQC.exe

Filesize
441KB

MD5
d4e7f00461acf7c7130bb191675e3467

SHA1
4a1745dc2eec85881e41c4c1f8005fedaecdf154

SHA256
bef30768275e40500087a0584242e14d1b10fccb14f457f52ac6a66b50c31545

SHA512
b4d961d2b8e2aa159971c31cf9ab6e36e1744f2c561b1e61e88f321090c24d53d9377a30969e23e73d842266c97e07ab68050dc256d0ffb268d3ac1a8e3eae11

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEIE.exe

Filesize
26KB

MD5
e46ac0d7348b59b9170d0aa39f625314

SHA1
f31305460cb70bd0a892b299581151a38075079a

SHA256
58532e97351d79a60161b6607eb64d7828045bafc48e36815bc63fdb69ec8e15

SHA512
f3e009fe625f578d05cf13a45b42743a6057e4b962be859748e59ab7f38d5e8fe3deaaf5276a98be66a99e676d578260b1c0632e95c7aeb1815e377732fb3b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYe.exe

Filesize
31KB

MD5
f25bac828b3bc917f67efdd91aa1b023

SHA1
323d702e0851cb9a8a0f702840e861924a80c64c

SHA256
c6eee4d797338b1a3fceef99ab7c0c253a79f87e8b33c4a559c5279f197a874b

SHA512
37b7eae1d3570832c5ee3c63040c2dc81f45bab2716c7471e6376ed596c1e05c62c47b48b56338b7f3d798eb81753e3f9b599153d2d5ce540b2d041c0fcc2861

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgss.exe

Filesize
436KB

MD5
043dc4f2aff74b5a7d17dd47a2138a3e

SHA1
f61f3525caa56b306888dad1e48f8a0011831bf1

SHA256
925ee324fccfe31dfc3ca9cbcdf1573fd38e9f556cd4b98d6494e3857b74edf2

SHA512
47ef3b0d61a4bb7f731b9080b997c01d0c4d5c419c2b86e7048f6dfe788bd2d55fb573dc586beeb6d25d7e5f93ec2e4fd6153959341c4845c9a230c6cf13e249

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocy.exe

Filesize
940KB

MD5
c0c655677fafe644374deabe3e6a5db3

SHA1
17dbf95cad6ee0e45cecdca01ac783a8f468c7dc

SHA256
6ed0e2f86a9f75e3338ad7164ea5ad2a129777eaa56b2a2e731fcb9e6de9fdd1

SHA512
5e4c613ffbc7dde2c357301ed1b28d909fa0c2014ddb7ad3fd76d7012f77b15554eec25ace003aca0cc5e214bd08628d8a04f38512305b1fa824413032cb214e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cokY.exe

Filesize
992KB

MD5
5597478a3f3e080c6dc753f4c21a7918

SHA1
6eda37346d107080ed629e714c1becacc272bc73

SHA256
ec6d612445edbac38ac201dadd697c799b5c5ff814ff3a8a5a2a3ebc404d5869

SHA512
eb2acb7d8aa5839006ba78bbaca496d4bea97655a837f357b732c2874b4272d85ec575028cf9a1ff75ce17f5a53eddd95e2f4c50eb0e36dfd3699aa854640044

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAcU.exe

Filesize
438KB

MD5
b5b3b29ff9596bef5f6ea785c6436a99

SHA1
6d2602dfa6dc033405939a0548e88deae851a025

SHA256
af0bdd4ac1ddb630bdc394994f028f5e222965b8c5433da2db0d8b9a4c32ace3

SHA512
f772c345cd60274bb1e5d9be09d073b3ae727420b09b16e6c67031037bf6985723f0dde72d7410afd56e3ea1e87e074e01bf4279101407eda153533de710cc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEsI.exe

Filesize
19KB

MD5
62cacb48eab9539768e91ea7d2f913d6

SHA1
b857710d0f674eb79560150f6af257b7e8ecd584

SHA256
9be0582aa473fc4a904aaa2b676773b72f1320a1dfefb5b3762ea761bd0aa9c6

SHA512
57d5b795b288950a42bdf5b2618985a78c97cd8c6c09d2ed1706907f4aa312add50e0c3602bf133e22d465658764445bb663f707bde0a3d5aa7f1897d5eb079c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMO.exe

Filesize
438KB

MD5
9d706b8f8b7b5450ee7d5c04479df88e

SHA1
6a91b480fc0be338cc6ea58feac1861384139ecf

SHA256
5ed8d4c67a3e23d4b855c7c9f7ce3e0ce59c6dbb53c62d3e0cbf07489812a2b5

SHA512
d7dfeba8e5991fdabe50c87be59ff784735ef4bece56e0105675137b21c6c28e684a692feaf2a04961ed9796af9e924f717d65378ebd7f5d1daaf7da4c7bfb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQYE.exe

Filesize
468KB

MD5
6d135dbfb37c5a75a00b8928c29d63b6

SHA1
c79e013a6f55e4f0ec8ebbb7a3ed1916427d13df

SHA256
31edf2ba9bbe9354e14b641329c91f046cb282358227974fea5dd2bd6a4c5153

SHA512
194eb8ab22510c45209a4c6f39f02620e08ecc2e60a83e9f9346c51bd56323a83ca42e500935681f716a0297b6c7471d73f8a25ded7d0093ed342953801be8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEy.exe

Filesize
21KB

MD5
b157a823fc21f0d0c01b11032d21f556

SHA1
eb7acc945ff4e751520069e9d64d8950d9ecde01

SHA256
2ab944ac84e2257f117ec9524dc38af28fc8dfa9df195dc71eb2b804d5ea86b9

SHA512
a775fe9671b7608adb0bf44282d47847aec8bfeae484527555c1e14f9bd506e6fd2cf1d5d160edbf190ae7f73f42eb341772bacfa4d2b96467c73e9941672d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\egsG.exe

Filesize
440KB

MD5
92a1f3fc2e127f78d53a486064c391a4

SHA1
6ee099bdd0917fb5bca63205c768552beb57b1db

SHA256
dbfe6da491ea26620912e4dafc7f82901f033aeaf2b1904cfee19b9eb6708404

SHA512
6813afdb64cc49ca62ec015216921c5fb830dbdc24823a99f2fb7b0ec2c6979213965e1f411cec7061d8d89dbb9cf0eb48e1418ca091e0b463f2214867fbbed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAEy.exe

Filesize
43KB

MD5
f9d064fd605795f3c482d2696d47e434

SHA1
4377b1b29d1090cb2f07e9b4cbd0878321c5400b

SHA256
916447d9742f567b86f8fb4771201b7080a65ccaa03655b233e0b837ce62f7f8

SHA512
bd762fedfd67091b0340ced2c09cbd16d8a4cb1763bf6f7a3071cc41bb5b17721c9152455abe03f09fe3d7e61a5efae56d58bf9f0c6937db13c52ef4f1455d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAw.exe

Filesize
1KB

MD5
2990462ea0a3163c46eaa06c1cfde33a

SHA1
c735fb9d39249839213155c53444b2e47ab6ac6d

SHA256
74743a4b4c26d1b15f8826ccbb93facb8c31178043604eefb68bea83046da7a4

SHA512
c4430c595c5b15fed718eea760efa1e6da783d4e43d966a9b716aa97ccb27c66d067cb0650529075fbf45dede607108b637fe50f648af0b8db9b384085d9db52

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQYM.exe

Filesize
454KB

MD5
68060317b171a641d039d7d9ca7e4c4d

SHA1
db92f59eff7e0f0c0af847a8e32c057abc76af61

SHA256
8eca0edeb22366c5933478457a624a87656fb77dccab89eb2f9d38cdfb6abbbc

SHA512
667d7102b60bf2f8a64d5a084e0fbafed24de4afd235b55b035195d20f00159a6428162a4ad38584dc321c9c7fa4ba38c764775f8dd4d95c5154555bb3f2c5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYkG.exe

Filesize
895KB

MD5
99bf9f39ccbcb32f5b05bc866491ccc8

SHA1
1f3ae87a8ae76173f1a0f119b778d6cf114592b9

SHA256
d0d400b0a3fde89799a90a16e57e3e6fdb182f3300c1f2b376e32416996cc31a

SHA512
dacae5a7ad04f1df34f15fad0038ae2423ac84cd9a1fcdac4a9d53c84d41c19e5fe4135d6c52a8c089e31a943f23964518781d749e9e4b987a8ddb097d2e2081

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcsK.exe

Filesize
504KB

MD5
77d8d85d5c3bc9b67a4e512bf3f7365e

SHA1
3f7e5d08b31374cd7c334a9885d620d3e27fefbf

SHA256
a63942018d175873539f5e6d3de0a7874a13b6000ccf9ee74754f09a1cec1b55

SHA512
53c55f10137fa8bab4728383f56ef0a68a25f9771cba81d683fabe675fe10d2940fa7ac896c49bfc0e438a5f191b5518e80a6d7895c9d3df845cc6a7e1dc5572

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAsC.exe

Filesize
560KB

MD5
bedc31f827034711496eb91025cba238

SHA1
14a113dd6ffb5fd7b70e0daa6134caa557ca163f

SHA256
2689af9e5fed3217512b74252ad5352be372738147e1a87a8a0c8740d4433c55

SHA512
9d480a44ba41c0d531f52600f2e09dd807091766978fddb3558c71efcbc953425c77f61703f50fea696031153f955b7c4d7bea6f8acc322ae5e9e140ac68a221

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMAm.exe

Filesize
502KB

MD5
c598a7d3410dd90dd821a7181c2eb710

SHA1
a4ca7b6db5580f4d5bb198ac2512a272791f5d50

SHA256
b4120e98a5e2ee917ec424d669c9d733f0f5404bc69f42b570b8d9ca848419a8

SHA512
a1c666b01a822da1d8616b30e3646df0786493a24bf43dde90f25c73db316b5edcc2c8f0e7c642ef1a31a7c853201a592cfa0a21a8aaaefefa49233e75dcd1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQwe.exe

Filesize
1KB

MD5
72e439c3aef0fff8b2587a5b7421563a

SHA1
fe7b33c48a69521d2870dfc0f0115784f58bf673

SHA256
2a5f8511c32707718c53b719df560b77e3c31812a0f0df1b44470c0e558f806e

SHA512
102b061dad341aeec7da6572ee47aa9d3e368a01ef321464f99bd8dd93080234649bcb7fd56cb44abb3f55df242033cba88ba787e76b0a7acb950ceb4cd4c4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYm.exe

Filesize
25KB

MD5
62a0adff28575305e74699c1c4cf36ac

SHA1
6d8fc92a98b190245b7f12949032bb459b6481ff

SHA256
549491fb34fc996532fec9617949eced01ec444357063e67c52c2113a05e9bd4

SHA512
291381d7190bbaf39c92255ce1623a492e3182757e367725ca77d774d2aa313b19315a3ba65048f7a74b13049ea421186d4f2aa228ef55a2e4ae5a047aeba551

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkMa.exe

Filesize
1KB

MD5
df204f36d8aacc010ad96371f9f083c5

SHA1
7bb00709fd4c5dfa0545a8602915dc9e5ea0c297

SHA256
81d88b2800355578cc7793010e64cbb2e1d13ced66f134080c3ae3d5943a2990

SHA512
9e0c7e5c4fea1bbc298df88af3e84d2794c6093c884ea6572add5d5d19cc80964c5fde089e688fdacc648802316a4f0da725fb74fc13b587104e5ed9cc6b9242

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMMW.exe

Filesize
1KB

MD5
12e81dd807244f3ff99c07d1a41545e9

SHA1
106298c75e98d4ff0950b0a60557e920cf38ea78

SHA256
25275b0f29eeaac3fd9c783ebe68f81ab41d62d683428af9fd4aae279ef64922

SHA512
ed343b2ca8c333aac3cba8e7d4ecb7450f8b83eeaa0935a16447fe8f17a7968b7352b4a8eceab3d5aac9db064bd214a236e642a1f7afe36cf309b8848282f91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgoS.exe

Filesize
483KB

MD5
04f4a5044f7649df0e4e8f64a4768cca

SHA1
8b94e579d07dcecd727168ad2a8c1d0b1d0a824d

SHA256
cf3efc0c7c096acbffe01f4b481288a4094b0134f91ba05383c47c3d85621d45

SHA512
d0b73421dcf830953edf05747f5826eeaa6527d8b81cd825a3eacbd2f3c9aadeefa58d0001e7d34281bbddcfb7db9962a69e7bbd62bfc07e11889bbf65aa0ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiAw.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkMM.exe

Filesize
935KB

MD5
ed1932b326c0df602711b1e61fd46d11

SHA1
10eb557f4b20a35b70276d92f8d7f731bc79ae85

SHA256
b7e23b2390a3601a71afbad14361524c03fbbf9c2b63a65707356fa38cca17e3

SHA512
b605892f8ce51cc21ed3627044851b4820b8cbfbd84594ee562169b56349aa2c546dedeff0b138c24cf2fd0ce29c4d5f9d2cce45a64eb8b31d699e9454ac1f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMwO.exe

Filesize
439KB

MD5
07e8509feabc0a1476a0e61d5c6951ba

SHA1
62a842b397b92f3c9fcbb21f3cdb894d33048a7f

SHA256
d589ff2cb3bc9970caebaff99db8a6bd5713e27ef3cf11dd06af7be7446c3034

SHA512
e404ccaa3a663720aee966d1d6c76469f3f54eb0d7396204b26b9dd0ac13d9d82e62d5470d826953ad7fd386089c89e1116b9b62b0b2a4e67fc47bac6d1923a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwo.exe

Filesize
43KB

MD5
40f5e1ee095150e454f67a6a00f870b3

SHA1
7bd631a8219b80610602ef77641fca806a1051b8

SHA256
ec1f446f7fd6b32b112c5146de7a55f2cd544e7cdcc920f7adb026a649fdbf84

SHA512
d1c7001a920a6a4d12af084fb6b9f98960b7783011b5307ee553871591bd2d18499ebfc52f01899307a2a3ad09bbfa2e4bfbcbe77d6a2625fdc28ed83f91c3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUEo.exe

Filesize
453KB

MD5
5a2aae3f4fe7f9861dec845abc038c77

SHA1
76b6f907afb931843feb9899c0dec973308ffc26

SHA256
d4db2140c21959c8196c2bd276c06ef07582d0c92f57e0ba464182495078b0d4

SHA512
a8ff064de5d69b756263fd44763295bb22c050f20e8b696198a835fa83a6c7fb87d82650b37bddb4ceb2f68b55180c230112e3335e0cca7e90e84ca9d94ae538

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucQk.exe

Filesize
1KB

MD5
780403d1a0e1497402386c49d6c26070

SHA1
432103dbfe8995c07e74250d4a8c6bf65e5d6d72

SHA256
51307ed48f59f6555a62391f6479f6215c1bd26794caefe4f6826c175b8922df

SHA512
694775e775739a5ce5b0fb7984a8706fbb0ef11be799f974ee340a6d34249013669b580184f0858376d8565625eb1759acaa0caa5b597aa74b1197937154c34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugoS.exe

Filesize
548KB

MD5
b9a384908c60ebe1739c8186de314545

SHA1
4621aabe180ef9e6a5e0a54639fc76bacf956bba

SHA256
d9480a23b33bac663cb4fa092742b4dd4bc90bb3cab53fde4d478654724aab7a

SHA512
5c2ee911ccad8b3229dbb626e6f3aa26c0765127e9235cc0d0396370fe7d4f7bd08a8c5db9a9eb872271c2405f944c5ec08c1cfea6daf6e102bdc7a5c0ca6fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ussO.exe

Filesize
11KB

MD5
7d5d063e60e482ccac86514819d96106

SHA1
9f292fb09ba6e731a6568421d7e56fbef1937bda

SHA256
fcad8e0553a29788ffb6eec01cfaf598f1a31f36b1d37f2f12d1faa404e6588c

SHA512
fe07ed3f497667a6e6bf11c3d32f4464e9e9ccb3849b65e7e895272699aa244a756c71c19f154671ee4e27075530848370b282dc0d1a2c45bda522e3b5d322c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEkY.exe

Filesize
1KB

MD5
6c2d048b1312b510d292000699060f00

SHA1
55dbaf856c839cad65beda2c329233ccefb40206

SHA256
b33e82f2de439d57bb8c910772afcc5debe69ffffdfbe27296b9637fad41209b

SHA512
94a0e2e38170ec31b15655799d5622d09338542c384149a0a6ee7fab0b0327a2e2e2516c345b1a4f396298268c9ba0d312ce1e9e313cef0912306e0224b2b9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIoQ.exe

Filesize
43KB

MD5
17286c3aa944c595e32dd58eb858b8e2

SHA1
321e1b4983db04381e5632454b621faab963e472

SHA256
8701f23fe5eee3617b2082a3aefe82314685120e5272010c3dd0c5e76b4e8596

SHA512
2175f383b5a981f6616dcc9b1d74cda4d163087e7ac9f777ffdc9d9be9f2776782a9c896e10043ebf16ed195c1e6c7c719622402b57e43e7d8ca49d25efe3d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgYu.exe

Filesize
8KB

MD5
86c52bb3fcee13b874397151019d0390

SHA1
bca7e2b2d6708e436990d6dbcd889122ecb3b21a

SHA256
8e300a37afced8517626bef2209f601427c10bf648eff8c016df94f9a60ae9f4

SHA512
0ba58c80762890b2a4b461b729a369bd9a1c40a040099d4b56671ebd53132bbda96c4f36324707d3c98b47eb282db76c398dbcf2773f5e696f6e1d311252ccfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsgwsQcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\ayEAEYoE\WkIQYIUM.exe

Filesize
434KB

MD5
b7c209939a8512c7e09ac9d78199146d

SHA1
718fc824c9bdcf5c63091da10d77f97f86cfdad4

SHA256
9ce3b3edb1724bbc3add1047bf03fbfd582fdae4d0c26a5bb462034a877e4dd8

SHA512
39014281ded0017126df576f0a665c6eb3cc0752d37ad514e65e81bed1900ad4b1ad442a3b5d194bfc771deece15fc6b72166ae72d420b8f74e1598b4825a717

Download Submit
memory/112-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/112-173-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/112-130-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/112-194-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/232-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/232-126-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/792-125-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/792-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1004-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1004-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1004-201-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1008-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1008-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-286-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1860-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1860-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1984-155-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1984-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2148-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2148-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-1199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-995-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-1085-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-881-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2264-662-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2588-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2588-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3664-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3664-104-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3776-211-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3776-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3860-217-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3860-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3976-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3976-45-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4056-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4056-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4148-1200-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4148-1264-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4160-100-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4160-115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4500-707-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4572-487-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4572-578-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4600-9-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4600-116-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4628-425-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4628-334-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4684-177-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4684-163-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4768-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4768-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4876-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4876-27-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4932-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4932-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4964-678-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5068-283-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5068-352-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5112-186-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5112-198-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5396-1320-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5396-1329-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download