def3b7ba5b2651941218d77272bcb2fde5d6e91ea64507fee316d4085a18b244

Analysis

max time kernel
157s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d237f885015bacd32483f7d4135d1df.exe
Size

488KB
MD5

1d237f885015bacd32483f7d4135d1df
SHA1

1f01e2174ee2b300cf5c74d7df0bfaee11a57f78
SHA256

def3b7ba5b2651941218d77272bcb2fde5d6e91ea64507fee316d4085a18b244
SHA512

8447ae5500a602f7e763c81469e9f4e540c226565ad6a970d10675a75dd02c3ef3a02bce7be3c9b6f8c3bdd9318178bba2c8a62298c9b9bf7f23c0e309ff32d7
SSDEEP

12288:xHVPzjc6qD9ShYAk9FML7ke0fOlW6z11z1gx:xxch9r9hmlW6rz1

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	YOAUskwI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	SUYEQUII.exe

Executes dropped EXE 3 IoCs

pid	Process
3172	LwcwYwAE.exe
3808	SUYEQUII.exe
1368	iScIcQEU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fWoMcwUE.exe = "C:\\ProgramData\\YaQIEIsQ\\fWoMcwUE.exe"	1d237f885015bacd32483f7d4135d1df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LwcwYwAE.exe = "C:\\Users\\Admin\\sgYEEgYo\\LwcwYwAE.exe"	1d237f885015bacd32483f7d4135d1df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SUYEQUII.exe = "C:\\ProgramData\\OgEEwIEA\\SUYEQUII.exe"	1d237f885015bacd32483f7d4135d1df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LwcwYwAE.exe = "C:\\Users\\Admin\\sgYEEgYo\\LwcwYwAE.exe"	LwcwYwAE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SUYEQUII.exe = "C:\\ProgramData\\OgEEwIEA\\SUYEQUII.exe"	SUYEQUII.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SUYEQUII.exe = "C:\\ProgramData\\OgEEwIEA\\SUYEQUII.exe"	iScIcQEU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DaEEcIgQ.exe = "C:\\Users\\Admin\\QmYsooEI\\DaEEcIgQ.exe"	1d237f885015bacd32483f7d4135d1df.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\sgYEEgYo	iScIcQEU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\sgYEEgYo\LwcwYwAE	iScIcQEU.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	SUYEQUII.exe
File opened for modification	C:\Windows\SysWOW64\sheRevokeOpen.png	SUYEQUII.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2092	436	WerFault.exe	246
3640	2324	WerFault.exe	250
3184	3212	WerFault.exe	248

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3956	reg.exe
2272	reg.exe
3300	reg.exe
5384	reg.exe
5708	reg.exe
3224	reg.exe
4492	reg.exe
3536	reg.exe
4868	reg.exe
924	reg.exe
4376	reg.exe
496	reg.exe
3448	reg.exe
3680	reg.exe
3092	reg.exe
1404	reg.exe
912	reg.exe
3184	reg.exe
4816	reg.exe
2548	reg.exe
2596	reg.exe
972	reg.exe
3080	reg.exe
5400	reg.exe
1604	reg.exe
4904	reg.exe
2132	reg.exe
4596	reg.exe
4820	reg.exe
3580	reg.exe
2260	reg.exe
756	reg.exe
4376	reg.exe
5972	reg.exe
3956	reg.exe
1152	reg.exe
1828	reg.exe
2188	reg.exe
4180	reg.exe
4860	reg.exe
3224	reg.exe
5392	reg.exe
2284	reg.exe
1764	reg.exe
4472	reg.exe
1876	reg.exe
2104	reg.exe
2576	reg.exe
876	reg.exe
2180	reg.exe
220	reg.exe
392	reg.exe
4312	reg.exe
4544	reg.exe
496	reg.exe
4352	reg.exe
2440	reg.exe
5092	reg.exe
3476	reg.exe
4740	reg.exe
1176	reg.exe
4012	reg.exe
2276	reg.exe
4396	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	1d237f885015bacd32483f7d4135d1df.exe
4976	1d237f885015bacd32483f7d4135d1df.exe
4976	1d237f885015bacd32483f7d4135d1df.exe
4976	1d237f885015bacd32483f7d4135d1df.exe
3536	1d237f885015bacd32483f7d4135d1df.exe
3536	1d237f885015bacd32483f7d4135d1df.exe
3536	1d237f885015bacd32483f7d4135d1df.exe
3536	1d237f885015bacd32483f7d4135d1df.exe
3588	1d237f885015bacd32483f7d4135d1df.exe
3588	1d237f885015bacd32483f7d4135d1df.exe
3588	1d237f885015bacd32483f7d4135d1df.exe
3588	1d237f885015bacd32483f7d4135d1df.exe
5100	1d237f885015bacd32483f7d4135d1df.exe
5100	1d237f885015bacd32483f7d4135d1df.exe
5100	1d237f885015bacd32483f7d4135d1df.exe
5100	1d237f885015bacd32483f7d4135d1df.exe
924	1d237f885015bacd32483f7d4135d1df.exe
924	1d237f885015bacd32483f7d4135d1df.exe
924	1d237f885015bacd32483f7d4135d1df.exe
924	1d237f885015bacd32483f7d4135d1df.exe
2832	1d237f885015bacd32483f7d4135d1df.exe
2832	1d237f885015bacd32483f7d4135d1df.exe
2832	1d237f885015bacd32483f7d4135d1df.exe
2832	1d237f885015bacd32483f7d4135d1df.exe
3748	1d237f885015bacd32483f7d4135d1df.exe
3748	1d237f885015bacd32483f7d4135d1df.exe
3748	1d237f885015bacd32483f7d4135d1df.exe
3748	1d237f885015bacd32483f7d4135d1df.exe
4536	1d237f885015bacd32483f7d4135d1df.exe
4536	1d237f885015bacd32483f7d4135d1df.exe
4536	1d237f885015bacd32483f7d4135d1df.exe
4536	1d237f885015bacd32483f7d4135d1df.exe
1308	svchost.exe
1308	svchost.exe
1308	svchost.exe
1308	svchost.exe
4492	1d237f885015bacd32483f7d4135d1df.exe
4492	1d237f885015bacd32483f7d4135d1df.exe
4492	1d237f885015bacd32483f7d4135d1df.exe
4492	1d237f885015bacd32483f7d4135d1df.exe
4664	1d237f885015bacd32483f7d4135d1df.exe
4664	1d237f885015bacd32483f7d4135d1df.exe
4664	1d237f885015bacd32483f7d4135d1df.exe
4664	1d237f885015bacd32483f7d4135d1df.exe
4852	1d237f885015bacd32483f7d4135d1df.exe
4852	1d237f885015bacd32483f7d4135d1df.exe
4852	1d237f885015bacd32483f7d4135d1df.exe
4852	1d237f885015bacd32483f7d4135d1df.exe
1932	1d237f885015bacd32483f7d4135d1df.exe
1932	1d237f885015bacd32483f7d4135d1df.exe
1932	1d237f885015bacd32483f7d4135d1df.exe
1932	1d237f885015bacd32483f7d4135d1df.exe
3316	1d237f885015bacd32483f7d4135d1df.exe
3316	1d237f885015bacd32483f7d4135d1df.exe
3316	1d237f885015bacd32483f7d4135d1df.exe
3316	1d237f885015bacd32483f7d4135d1df.exe
840	1d237f885015bacd32483f7d4135d1df.exe
840	1d237f885015bacd32483f7d4135d1df.exe
840	1d237f885015bacd32483f7d4135d1df.exe
840	1d237f885015bacd32483f7d4135d1df.exe
4892	1d237f885015bacd32483f7d4135d1df.exe
4892	1d237f885015bacd32483f7d4135d1df.exe
4892	1d237f885015bacd32483f7d4135d1df.exe
4892	1d237f885015bacd32483f7d4135d1df.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3808	SUYEQUII.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe
3808	SUYEQUII.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 3172	4976	1d237f885015bacd32483f7d4135d1df.exe	89
PID 4976 wrote to memory of 3172	4976	1d237f885015bacd32483f7d4135d1df.exe	89
PID 4976 wrote to memory of 3172	4976	1d237f885015bacd32483f7d4135d1df.exe	89
PID 4976 wrote to memory of 3808	4976	1d237f885015bacd32483f7d4135d1df.exe	90
PID 4976 wrote to memory of 3808	4976	1d237f885015bacd32483f7d4135d1df.exe	90
PID 4976 wrote to memory of 3808	4976	1d237f885015bacd32483f7d4135d1df.exe	90
PID 4976 wrote to memory of 3624	4976	1d237f885015bacd32483f7d4135d1df.exe	93
PID 4976 wrote to memory of 3624	4976	1d237f885015bacd32483f7d4135d1df.exe	93
PID 4976 wrote to memory of 3624	4976	1d237f885015bacd32483f7d4135d1df.exe	93
PID 3624 wrote to memory of 3536	3624	cmd.exe	100
PID 3624 wrote to memory of 3536	3624	cmd.exe	100
PID 3624 wrote to memory of 3536	3624	cmd.exe	100
PID 4976 wrote to memory of 4860	4976	1d237f885015bacd32483f7d4135d1df.exe	101
PID 4976 wrote to memory of 4860	4976	1d237f885015bacd32483f7d4135d1df.exe	101
PID 4976 wrote to memory of 4860	4976	1d237f885015bacd32483f7d4135d1df.exe	101
PID 4976 wrote to memory of 3092	4976	1d237f885015bacd32483f7d4135d1df.exe	99
PID 4976 wrote to memory of 3092	4976	1d237f885015bacd32483f7d4135d1df.exe	99
PID 4976 wrote to memory of 3092	4976	1d237f885015bacd32483f7d4135d1df.exe	99
PID 4976 wrote to memory of 1020	4976	1d237f885015bacd32483f7d4135d1df.exe	146
PID 4976 wrote to memory of 1020	4976	1d237f885015bacd32483f7d4135d1df.exe	146
PID 4976 wrote to memory of 1020	4976	1d237f885015bacd32483f7d4135d1df.exe	146
PID 3536 wrote to memory of 5008	3536	1d237f885015bacd32483f7d4135d1df.exe	102
PID 3536 wrote to memory of 5008	3536	1d237f885015bacd32483f7d4135d1df.exe	102
PID 3536 wrote to memory of 5008	3536	1d237f885015bacd32483f7d4135d1df.exe	102
PID 3536 wrote to memory of 4968	3536	1d237f885015bacd32483f7d4135d1df.exe	109
PID 3536 wrote to memory of 4968	3536	1d237f885015bacd32483f7d4135d1df.exe	109
PID 3536 wrote to memory of 4968	3536	1d237f885015bacd32483f7d4135d1df.exe	109
PID 3536 wrote to memory of 1188	3536	1d237f885015bacd32483f7d4135d1df.exe	108
PID 3536 wrote to memory of 1188	3536	1d237f885015bacd32483f7d4135d1df.exe	108
PID 3536 wrote to memory of 1188	3536	1d237f885015bacd32483f7d4135d1df.exe	108
PID 3536 wrote to memory of 556	3536	1d237f885015bacd32483f7d4135d1df.exe	107
PID 3536 wrote to memory of 556	3536	1d237f885015bacd32483f7d4135d1df.exe	107
PID 3536 wrote to memory of 556	3536	1d237f885015bacd32483f7d4135d1df.exe	107
PID 5008 wrote to memory of 3588	5008	cmd.exe	106
PID 5008 wrote to memory of 3588	5008	cmd.exe	106
PID 5008 wrote to memory of 3588	5008	cmd.exe	106
PID 3536 wrote to memory of 396	3536	1d237f885015bacd32483f7d4135d1df.exe	104
PID 3536 wrote to memory of 396	3536	1d237f885015bacd32483f7d4135d1df.exe	104
PID 3536 wrote to memory of 396	3536	1d237f885015bacd32483f7d4135d1df.exe	104
PID 396 wrote to memory of 3780	396	cmd.exe	113
PID 396 wrote to memory of 3780	396	cmd.exe	113
PID 396 wrote to memory of 3780	396	cmd.exe	113
PID 3588 wrote to memory of 3056	3588	1d237f885015bacd32483f7d4135d1df.exe	169
PID 3588 wrote to memory of 3056	3588	1d237f885015bacd32483f7d4135d1df.exe	169
PID 3588 wrote to memory of 3056	3588	1d237f885015bacd32483f7d4135d1df.exe	169
PID 3056 wrote to memory of 5100	3056	Conhost.exe	116
PID 3056 wrote to memory of 5100	3056	Conhost.exe	116
PID 3056 wrote to memory of 5100	3056	Conhost.exe	116
PID 3588 wrote to memory of 3316	3588	1d237f885015bacd32483f7d4135d1df.exe	188
PID 3588 wrote to memory of 3316	3588	1d237f885015bacd32483f7d4135d1df.exe	188
PID 3588 wrote to memory of 3316	3588	1d237f885015bacd32483f7d4135d1df.exe	188
PID 3588 wrote to memory of 3160	3588	1d237f885015bacd32483f7d4135d1df.exe	124
PID 3588 wrote to memory of 3160	3588	1d237f885015bacd32483f7d4135d1df.exe	124
PID 3588 wrote to memory of 3160	3588	1d237f885015bacd32483f7d4135d1df.exe	124
PID 3588 wrote to memory of 3048	3588	1d237f885015bacd32483f7d4135d1df.exe	123
PID 3588 wrote to memory of 3048	3588	1d237f885015bacd32483f7d4135d1df.exe	123
PID 3588 wrote to memory of 3048	3588	1d237f885015bacd32483f7d4135d1df.exe	123
PID 3588 wrote to memory of 4848	3588	1d237f885015bacd32483f7d4135d1df.exe	122
PID 3588 wrote to memory of 4848	3588	1d237f885015bacd32483f7d4135d1df.exe	122
PID 3588 wrote to memory of 4848	3588	1d237f885015bacd32483f7d4135d1df.exe	122
PID 5100 wrote to memory of 848	5100	1d237f885015bacd32483f7d4135d1df.exe	126
PID 5100 wrote to memory of 848	5100	1d237f885015bacd32483f7d4135d1df.exe	126
PID 5100 wrote to memory of 848	5100	1d237f885015bacd32483f7d4135d1df.exe	126
PID 5100 wrote to memory of 3264	5100	1d237f885015bacd32483f7d4135d1df.exe	131

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1d237f885015bacd32483f7d4135d1df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
"C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\sgYEEgYo\LwcwYwAE.exe
  "C:\Users\Admin\sgYEEgYo\LwcwYwAE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3172
- C:\ProgramData\OgEEwIEA\SUYEQUII.exe
  "C:\ProgramData\OgEEwIEA\SUYEQUII.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        6⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        8⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        10⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        12⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        14⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        16⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        17⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        18⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        20⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        22⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        24⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        26⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        27⤵
        Adds Run key to start application
        
        PID:4472
        
        C:\Users\Admin\QmYsooEI\DaEEcIgQ.exe
        
        "C:\Users\Admin\QmYsooEI\DaEEcIgQ.exe"
        28⤵
        
        PID:436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 272
        29⤵
        Program crash
        
        PID:2092
        
        C:\ProgramData\YaQIEIsQ\fWoMcwUE.exe
        
        "C:\ProgramData\YaQIEIsQ\fWoMcwUE.exe"
        28⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 372
        29⤵
        Program crash
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        28⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        30⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        32⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        34⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        35⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        36⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        37⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        38⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        39⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        40⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        41⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        42⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        43⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        44⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        45⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        46⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        47⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        48⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        49⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        50⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        51⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        52⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        53⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        54⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        55⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        56⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        57⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        58⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        59⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        60⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        61⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        62⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        63⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        64⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        65⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        66⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        67⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        68⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        69⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        70⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        71⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        72⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        73⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        74⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        75⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        76⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        77⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        78⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        79⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        80⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        81⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        82⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        83⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        84⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        85⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        86⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        87⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        88⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        89⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        90⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        91⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        92⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        93⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        94⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        95⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        96⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        97⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        98⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        99⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        100⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        101⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        102⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        103⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        104⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        105⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        106⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        107⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        108⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        109⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        110⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        111⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        112⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        113⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        114⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        115⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        116⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        117⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        118⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        119⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        120⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        121⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        122⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        123⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        124⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        125⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        126⤵
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        128⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        129⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        130⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        131⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        132⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        133⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        134⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        135⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        136⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        137⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        138⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        139⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        140⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        141⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        142⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        143⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        144⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        145⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        146⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        147⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQoIwgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        146⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piEIkEkw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        144⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:5716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:5400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:5392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyEAgkAo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        142⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWksMcow.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        140⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukkAUoQY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        138⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQoocIUw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        136⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        UAC bypass
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGscMowY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        134⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGUcQwII.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        132⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsYgEwYY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        130⤵
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        UAC bypass
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myQIocMo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        128⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        UAC bypass
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        UAC bypass
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUEAUwoM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        126⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEMQEAsw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        124⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:3300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqQcoIgY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        122⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        UAC bypass
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOIMoQIw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        120⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmAoMAUU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        118⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCQoUcYs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        116⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqAQEcUw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        114⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEYcYEcw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        112⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JogEswYY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        110⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmgAMsAY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        108⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWcUQEUI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        106⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsAUAYMg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        104⤵
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOscMUUI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        102⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgkMEkQY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        100⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        UAC bypass
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIIgQgsE.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        98⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REIggsAc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        96⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veocYcEk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        94⤵
        
        PID:2080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAEkAgsk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        92⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmQMIcAc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        90⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        Modifies visibility of file extensions in Explorer
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWAIsAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        88⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        UAC bypass
        
        PID:1440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yesgAIgc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        86⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        UAC bypass
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        UAC bypass
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAMIUYAI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEkcoYcA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        82⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEgcMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        80⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgIkkAQo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        78⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKIcskcs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        76⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKkcIUcM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        74⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyocAYUU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        72⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAQgAIII.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        70⤵
        
        PID:1408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQIIEUUA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        68⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaYUwoAU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        66⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcMwgEUc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        64⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HocAcYME.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        62⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owgYYwgU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        60⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqMUIUsc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        58⤵
        
        PID:780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqoIkUYU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        56⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIEwUssY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        54⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyogwQsI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        52⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGMIowcM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        50⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAQUQoEg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        48⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqMoYcEc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        46⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gawAwAIY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        44⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuAIAQEg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        42⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zewkwocU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        40⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McgIMsEM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        38⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsAMEYUo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        36⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcUQAsEo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        34⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOYYQcMg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        32⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCIAwAYY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        30⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgMIEIcI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        28⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fksEAYgc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        26⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rikIooIM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        24⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEgokEsY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        22⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gywYIksU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        20⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCYMgQIc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        18⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOUUAoEE.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        16⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQAcQgIw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        14⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGgEgQMw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        12⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOccMIsA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        10⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        UAC bypass
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKoAAIog.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        8⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCQokwks.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        6⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4152
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3048
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3160
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIQUAQw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQAYsYQY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:840

C:\ProgramData\pSEQcwIs\iScIcQEU.exe
C:\ProgramData\pSEQcwIs\iScIcQEU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 436 -ip 436
  2⤵
  PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3212 -ip 3212
  2⤵
  PID:3736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2324 -ip 2324
  2⤵
  PID:1536

C:\ProgramData\baYgoccQ\YOAUskwI.exe
C:\ProgramData\baYgoccQ\YOAUskwI.exe
1⤵
- UAC bypass
PID:2324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 268
  2⤵
  - Program crash
  PID:3640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OgEEwIEA\SUYEQUII.exe

Filesize
432KB

MD5
56d91676758a59c98a4965d872313845

SHA1
13c3577620a0934c9549eae43e515faee9b9781d

SHA256
c26b5e9f444e024ff802acf706116d0295e2804377128bdbf3893ead39ce6fd2

SHA512
98b76992d231211cb018055861f9c0adb412213cd3e6168e01bce57858a341d35746cac133732b401a35909e7163bb0da7f2c46bd778d3f8e266624dcf3df837

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
876KB

MD5
8726b9ea5a0d3965c4981d1f51c67a56

SHA1
6d909a09005a2674cfafd7dcceb68326dd14c405

SHA256
ea2d023798fc32aae4be4d5aef4f7aae5aa3c9e5c0ed93b4db1f1861bc8b2b8e

SHA512
abd8572066cdd1ebcfe900b1cd2f8bb8753f217052048494f950bfb37cc20ae3ba8739826b928cdf77a7896e2cc6531493a94abe34046872522b8a13f2823383

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
888KB

MD5
ec95375ec78396f8dc15fbba141bac87

SHA1
01308454891e0f2018cd1cb19fbbac6f69753ce9

SHA256
c6d136676154b29832598e4645dcbd4fdde370cf965da9197a735db8b861e35c

SHA512
e2136311b763840198b6f4adcaf01a277fa2e65fad889f599f27ac1fee3155fc6c6ddb6b210936f94d3bf8226b8447c68cc959671914d96a3ec09b77abf875f1

Download Submit
C:\ProgramData\pSEQcwIs\iScIcQEU.exe

Filesize
431KB

MD5
df784d8458c9f32430f583e3b89e7c5a

SHA1
737d66fc98dbd461f6503362eb4d1cf8c58a1382

SHA256
c8f2760fe4d6cc1a68f5f86049b80deb2c702821e7393d2d85e255d362cd375e

SHA512
6866058729edf280192a0e0d1c6310e66c64ded00ad628a6645216011a0f94b4e8f9c0ce3d533116f6dc3e82a4981ef74ef5d88d469daf9df07feb6de8b27a91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
457KB

MD5
816c0f9417a0d171772166ed0468054e

SHA1
07d377fdca90261485d8575f36c7735d2e94710c

SHA256
d401833146901e8333545f56dbe738e2d08214d735a4a099c7ca7fa832ba5a94

SHA512
c39bba84bd4573676ff06349a2456aff53d664e9a6ca0ab1986418c5d884f6a5c80248d83d567e9a70daf7258121150285c5f6e3d97d2b3f73bd6dad287b4403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
2.0MB

MD5
e2bc9b71710c758764b33a8d3d96bc77

SHA1
6d15405a8e40e4d5cc63b343a0430596cbd889ae

SHA256
06765a7a928a067265b2b00c10e382886bfe8f0c4e6e772417534d11724d9dae

SHA512
9d675259ce1c28817f90bd0d1b1c80bc63db362b55362bd7e34a7f022a25c186e6df9885b7d38fb76576e2623a989a8f3683ad85933ab11312a9de5ff634d654

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIgC.exe

Filesize
454KB

MD5
04a2a2555570bd4debcadfffaa9c8f43

SHA1
22132c5e63013fe8e69db47233288d76613fc7f3

SHA256
d168ab89a5a8aadd0c544bf9042112d6710d9d6af8099a40765311d248834f3b

SHA512
4b1c2ef952e9dabef71ee82ebc66a10c74ca63e356b77e1d906d48878688cde9e999e6f1a19562ba4fe3a0904adae5c0188ab87d6ab306be0a19e3b7dabcea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkMg.exe

Filesize
431KB

MD5
5f8c63e25134474aea036d60723fa01b

SHA1
198fdfa2108ae70fa5c5c74b0fc01ece4da2b740

SHA256
00cd4e992ccea888ab64abcacc99bd581d106f09aa64b4f3813918b7ab13d23d

SHA512
639fc1eedccc6a6916247cedf26779674ab6b26d7d32cba05546c5512598a19d953da03857020e3699e71a3341801e520a36b526d13404b570820ea448020e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bcwi.exe

Filesize
437KB

MD5
4fb1370ddb61d3d86cbeccda66b6e034

SHA1
1133b2a0275d675145c6e04415bde371e80fc3a0

SHA256
a473805bcd2b31461c8a0fe7d0fdb923eee4338b18a4993dc7ff38d2d53c7761

SHA512
c48772a7ca0f81d5f9d38d4ab7104590489c39537d409f1af4cf1f8be5c575ccc7e304de8a8a0d9800c0f54187efe6421961b6d122f2ee20efaef6b4ba6387b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIws.exe

Filesize
437KB

MD5
bbaab9ddaf6ef06e86737a614c95f2fe

SHA1
9dc225e6bdb3380755859be2340420594efa529d

SHA256
5b4085fd4984fac5425325a4091fc1635b99c5f80bf27b92131c400102a08264

SHA512
3e04ce0197433262eff08c62c6dee3c0600aea3da6eff625f4a5ae8ae7a1a8f12ae5554f4bba45480178c61ba31184813454e3680c019ee399d5adfcfc146df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYgE.exe

Filesize
470KB

MD5
2ee60380f5c9dc51167e89d2912336a0

SHA1
0459cadd7538005e597001ca6ace6d6294e947c4

SHA256
2c04016aca12a05e7aa14b60b565decee1bd63642d4c2c9ea522aee15c0cf60e

SHA512
3bdd9e3f26bf42ed99bbe3792468b9fcb24dedf98f6962fa78b67c23162a4bfab87810889da92a2ef2aa55ddae1eac26e274be9c5dc21c337c3447c8f24a1c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DosW.exe

Filesize
440KB

MD5
2f809931dfad9b80e7cfaa5db519e585

SHA1
4ee7afa6352a3511e074aad0d33b2244a7e2a356

SHA256
abd9fa3dd37b0c7f2b803a16023c66d3f8a18814d87f4139f4bae677f9d20de2

SHA512
65f73f385a78d1267068f1d0a4a955c6d7f82c51b918a7f98b1132e0c92471b6cb158352aae81d3768eef0cc41fa7697a608798d3187910e85e0711e0a5fa5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAMm.exe

Filesize
437KB

MD5
7ff74faca408b67af599fd225e8c2dc6

SHA1
4e2cb73a7a5928b4b9103dc2282c79ccd73eb660

SHA256
d046e946bc719adb10c58283b06829511fb5c4cb94e7a8221e9d4f56b3d77e2f

SHA512
7013d5eb2e237d8ee939cb34e6f9b598d75d75b23a0c6ac519a658edf018789041d9d49834a38d1a86f61971de68981751d251edca8c7e87a8250a72a80af33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsIU.exe

Filesize
443KB

MD5
cad59dbbd758eb335bcbbb6f19900c09

SHA1
1b9231bf581ef6d80b35fb0e8072c84143b7ceeb

SHA256
fcfaeef2ae40bf1e842c83482bbce81428057254bee2815693e5ca2a4037b878

SHA512
020bb94581e45ce349f3d6aaa67492df753019afb50aff2df672c9ca75ed0e0a0fba80bf5dc645e5ac3225b2a5b7edca4342fdc90b5c9f1fb6f6b844badf5e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIYA.exe

Filesize
1023KB

MD5
329a7db9201f4d5dfce11c4cc02ae745

SHA1
8fd17c784c4f9ff76116ccfab393070386bc68a5

SHA256
efe2a5d1ffdc0bddae7018b8bd191a0be3bc5563133157c718fa9b5b7882b2ec

SHA512
c33ec104913af932d8b4ddd62125ce7e6157c5b8e4b0556bf649b11419817c6ba7eb120fed8ba3cbd7d988c248592dda93921219d0f7cdff631976569b74890d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcwU.exe

Filesize
888KB

MD5
5b8b0d47850584176e8488836783761a

SHA1
bcf1b008b18942858d43748b46e88886215d49aa

SHA256
cebbc067ea0372af1ac021b08474163f0c6b146785b1e8fd9c97ea87e8631215

SHA512
4b3e7e53ce0a3a9ad960c4098d0de1497c6dce88d4136d308468d0bca88f44fc627b4a9c3126d1b397e8b276cedbe2690383df13313099723cf558d37f628561

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hkge.exe

Filesize
443KB

MD5
b3622186051103c9ad97e747252d1292

SHA1
f0e15ffdb8d2407f83060d11fb3b316c8fc350ba

SHA256
580720113618818c117b6ae031f28fa770ab570d36ee9dfa37f41fb486564f2b

SHA512
fa9f9867a4cfa97beb65f17564db5e2f789f463640ea488158adfefc7fa320640580ad133f2b943fc9e07fe0036b429387f2390164ab8bab10cd814d11f9b3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEMK.exe

Filesize
442KB

MD5
5c12eb661f200d59981fe462ad32c010

SHA1
8c813ed1aa9c722241cb55cf83bf1b1cae3a94e6

SHA256
539e022c677e78e84c0411a05b22243da883aba3bc0478dfd6860c3021b74518

SHA512
f98c33bcae805e18f55c13ffdf73f31517a7f346c2e1b3829221f9426ea4543b43be1669cea15d26edc76df07f1a65e373c8a66922b91aacb6b91c35a5c46697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IckM.exe

Filesize
446KB

MD5
e12c3ef75ea10891de562cabbe1199da

SHA1
f4c50803f4c6111221ba4bbaa1a8746cc013bf4c

SHA256
c04806cfd4a82e25b4f060318e6c9783a7a5ab5dca21955970686d3f884e7f28

SHA512
2475aa18e08659e503edc31e6ce6e35a12877c9d34d3768f4080378af168ce93ca3fbc810357dfdc51a432ca5dcbb8fd7f8496ef0724f8f6c608331b692a27c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYkE.exe

Filesize
438KB

MD5
666f3039e91bf32c245987ff772e0709

SHA1
e3317fec75314b0849570ecc28cf46189715ca44

SHA256
8ba363f0aa52468864ec5b583819aba47fc1111f80f4fb81a78dca4201b391da

SHA512
927cf43239d76fdfa60fdd73d9557bd04896d023d49ca7b48fff6360edd687753c51a35cf05ee6753adaf286d6d88dd7e381aaab0e767f0b82c75954b976c9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwcM.exe

Filesize
1023KB

MD5
48d597dfd4ca92b093d3dbd477957a95

SHA1
c5166fce8ba759e123854093372b122c2ec2f5e0

SHA256
764fb8e464d486857c18d15ab6b27c9c3d8825093cdb4013428e84844d1d46f2

SHA512
0bfa1f43aee5db497aa8b80ba78e6a2a1a505036800c6444b0e4c4302680fb6d279c5c8f940cdf8133ca0054559e59891994c2ba92b9921ef0469d24f7db9cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lwgu.exe

Filesize
881KB

MD5
5a950336acc3983e13499e7b628cfad6

SHA1
d8bcba7ce2635fcad128706f3a89cd29b30e3a47

SHA256
0cf0cfaf87820e8c84dfec37f738024c0c217cb33f5531b70a562d60626991b7

SHA512
5b573ece8c714b0e81903e19efa232b179a2b5e0d8e677702427794e133bda803aac97ff544b122811dbf395b831f8a2f9f774b08fc6fd7783d3c99aab55e6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMge.exe

Filesize
441KB

MD5
e5fc327e9166cb4eb16dff9e1c922b1e

SHA1
45ef5db23714d2846cd166616b44595c836494bd

SHA256
d4575119740b92cef58b7eb65b15aa519953c6c213fc0f183bbcfa0efc417435

SHA512
9f7c9a8608d7802f4d2172573de8d699121103c1c0046e21da79bb31c04239f04cbe7c0b5d0f4905fb50b8561feb2055c457da98b0c3f42b6b60995cabcda460

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcYC.exe

Filesize
440KB

MD5
ed8efa963c72e7ac90fe8caaf30b5eff

SHA1
89f9519c35185ade768b441072a25e23af91d264

SHA256
668513cb4e7ced5044791e67cce9e0da68767444ea5f6c996ac47866055c3593

SHA512
d283310a42b18ab08662af4f4344285ba695be7ecc49ce4d14a4ea0abf4b6917b0e22902d70e9862fb0677d02b885f79ab72a76af34fec1dd8e3422403929015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NooO.exe

Filesize
440KB

MD5
1b49418b9f725c80695f977173fcfb02

SHA1
bd5a78a680a01cc8be2fffc84d90a9d0f8daca7a

SHA256
a29722cd73712ceac95169a71524107542f060395aca8d9a0398e5e9a553f568

SHA512
153819615e30a022f2fefaedad1e3ffc9c454ff15aacad8de839319b00ccb65c5efc4f7660598b536a1abd631f562917de3de794e6fa83133ed0fdbf937e27c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIww.exe

Filesize
3.8MB

MD5
5d8a0a057f9ca662c912ef770fb72c9b

SHA1
19b1762020e6fa2bb5863e2fa0ce0d83e8d9a95c

SHA256
76d8b23d422e5238ab51fe51d221ed3e68b6aa9255347831f6d62c0f58437ad7

SHA512
85b951d9505d2318195b275e23bf936a610ce995dcb54abbb9651ce8ce097b5a2090eb2b792adafdf4f571e95dc422373ab4a5a8c2150ae71947756b8b2fbb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwsG.exe

Filesize
437KB

MD5
0dd61d65a19c7a12323402480cee591d

SHA1
48e0a392cfb749791f82c79840d2921f08522a18

SHA256
f9c78dc211b8bb0b16e83711efc8ed87ce99b843734490390d45ea171bc9a42c

SHA512
d11c8620de2793f2a91f16243836bb41fcc881051d274198f4aece540eeca5cb11dd2a8a4c36d84c4a515d834a5ae2cc37d26cc4d89e52b442c4c6071bb880dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEEM.exe

Filesize
461KB

MD5
b9cc1c210d9b2b1a9a2ba31f0977447c

SHA1
e5145640134ffc0a68c574e604af6615193bd38a

SHA256
2d91292e66d3ef92d6a67c2886bd0aead887c8e9f298687dc9ddd4dacf9ab22e

SHA512
df439a2ee94ed789c47af2ca3060295a55adab9db7e0d5d729ffe727c722105b63f946f1f64df00835efd75113e6d4a8a3561e0e7ae4915b2a0a79deb86d9469

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIIY.exe

Filesize
1.0MB

MD5
7387a42359f97c391dcfcf49294961b3

SHA1
093adca13afad1bea85fb49528a992bf48e95709

SHA256
302f20e69b206039fcf7492b3c036cfbbfd40c6be74c07378acbdc6fb553ea68

SHA512
f85139bc5c90724ff103ffb7bd5dc118dc2a7f4d4032aae64f7aca181e08eaf455de4015e47b996dea667ea37f6af382e35372833c142364abc95935b4f67c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYUK.exe

Filesize
560KB

MD5
8b1dbe50bb486b89ec2ae5c33f8aa276

SHA1
6f81ae2180fbf09470f88b3af354cef9a6373e7e

SHA256
dfb36d628b1b3ff3108273a4be5abf110e3f220f04ab161298f2aef3fa5c8714

SHA512
987d839c9dfdd877680ae0f000a5cdfb1dccafc920444c822b053a4a22af23e87b5d7b4540a037f1ec24cc62a15f7eaf15020a5d96a5d528384c91b90b28f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tocc.exe

Filesize
441KB

MD5
38d7556ecdb9ea13e08c466fb770bfc1

SHA1
85e9eeab12ce44a4aaa775ee2edda31b6cd27422

SHA256
9b42b019d21af53b567520f937d20d6a0441768eb31f9107f37ce5629006a686

SHA512
3b90e55bc42e6c6d52ac3c0c2cce5e883437e7429f6d3da8d07cc1e67661e2e072f28a72b655e4555e2c338320baaa97e2a165873ec688c089d7ff9bf1025ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIwE.exe

Filesize
804KB

MD5
90cddf73e0169c77aa1b986fc5231770

SHA1
a112148fc207c43d82a139952a9fd32306ff473f

SHA256
64bf7184b788c63daa0975a0ab79faaafc86882db690587dbd4722f7888ae1ac

SHA512
88e639d906d282d8fee2791eae7da002d0a4a8b90ebc2ee9fb86e0ba84a103db105d2590c7944da077e0c6115af04b8652d33671f2862c408ccfd9beb17774c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwEK.exe

Filesize
890KB

MD5
be4d9ad0f5eb387eee86c402112e2d6f

SHA1
bc1093a3ee9ae4104c92101dbcd76b453dc51771

SHA256
64cf71bee14f496168b32e5422e03e483c5f9d16eb7869da20a314c777c04dba

SHA512
13915fabc0004e488e34edb4f0063bcbcab2bd5ae8b931c022d5ce62816c5b0055108e97af488b6fb13e33d25c10daeffb7d8860db8f5cedda0e84de5cb3aff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUck.exe

Filesize
442KB

MD5
12d19ecc4d474c8488e680bbe56165e0

SHA1
68e6a8c820df71cfb8b3053e0e2bcd5980c34794

SHA256
bd574ad54421d38c8ca2d5f39fb6c84df7d5ac8ef117a14f091efdd72b1a4862

SHA512
9147f935b180c2d1e824806f4687703f36a97aba12bde9290a0f8cbd494853ef6edb8d9e5b9f804332b471b556378e75918e7c30919bd57e9ae4bf651e73ca8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMoo.exe

Filesize
439KB

MD5
927c5a4fabaaab0d34012c70f5cc12d3

SHA1
f308f76186b85320163d2fc40f2519d4e74c947a

SHA256
0db7ff2512d753fb706825c95080fa2578318b5d36674aca45cb52091c35569f

SHA512
5703a21dfb7466be2076c281941f7bd26006788bf7302ff3b6370d57c42e9bc43fc87adee3e359a5485daaf4d1cc918895290eef2f8a19b840ecefbc63e741a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUEU.exe

Filesize
433KB

MD5
b922ef524bf911587dab24f700c1ca0c

SHA1
88d808a8ea9eac9462536c70ce05d68dd5d6dbfc

SHA256
ebe21fd57ce23c0ad83c4ccd850fe53d02f68b8ce269c8db81a91e539c8e963f

SHA512
6b53c78ece4f5a1193121f4d95e2647ec76010f5e1d3d0141c984344fdccbeb20cb1d52f3a8bfc659ef3677e194dfe2b4c377d2e6e206e9f32eee4b56b506d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkIy.exe

Filesize
446KB

MD5
7a7e4fea587bbf939587005710f71e83

SHA1
839f142d11da29b47a6f194950dad728ca6900f0

SHA256
75912fdd2a4a65ba86212b469954e3fe4e13e92c7bcbf696a242f65c8a33b430

SHA512
5674a3848c1b2a1fa76c7191c9728317ba697fd44e79969b1130bf6d24664aa195c1ee2c28b2d218cb8f25a340912240212410f6a3ed78f20c63994164cebecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEYI.exe

Filesize
441KB

MD5
4b3374ea658162d84989e8b1754f42f8

SHA1
13c5cfa403d41dc8417febdcfbdc797e5d212e10

SHA256
217d44203268938ba76af767e63a4a0303ec59cf226238439fe3a311ad28efd5

SHA512
a098eae4a73074e5e530834b9b43bd1ff76e1a0b953640be79389bbdbfb659fcde35cee46747fe00960c871354150994ee37699923229dff4c165a15d9d72861

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEsI.exe

Filesize
436KB

MD5
5ff980417c394e7abef5474cc1efde0a

SHA1
d9761ccda7497cba946d0d2f8a9fa7c33689ab94

SHA256
a4dac7c3347770cd73505a85dc8da4ce1027bea00439c655a558967e6f2a3a77

SHA512
9101b7df005d977d2f786f9aef4bb94cad48ff44c99adfb35da5c99441e132673fc9fdab03a676bb7329e7d548ddfe82f7cb55373a02676a887e242030b2c065

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMIy.exe

Filesize
1.0MB

MD5
6e3b3ec8c5f8245f0fe2e7d2979047ae

SHA1
9c764b05b5faca8186f482588f4ec334d59098c2

SHA256
485059309f3d5fb8c426ed56bcab206cf1c7d64ceea4ef478a64a0ca717e13d2

SHA512
6504ddce7ea68714155a169b06ee5e859c69e1bb3f7a97086814b62cc70cc9cbeb607c9124ac0db234c4deb55bbd374a46301971a10c8be7e1f5a5bbd392c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYIe.exe

Filesize
441KB

MD5
9cefc1b0246eb6df7f6aa08a170b2cfa

SHA1
ed9cf7c09efb3cb3bb02ed8bcc72f3ecb7f566b3

SHA256
fc3c2636775521dc39dfef38d85bcbe37b93ac27fe7bd2f8067da4bdeba52894

SHA512
387418d617787ba90ba395bbf12c20b753672fd045ddc9339ef079861ae9bdfae448ddde77b75a9cab255976b1b71cc64ee7b50ad824c565844ce568505bc502

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAUI.exe

Filesize
439KB

MD5
94b42b2ba7dc67bae83a1eb22a9c86ae

SHA1
4d1b2b6349f5271d72b1bc03942149758aec17bc

SHA256
edc202d4b173db6a974b4405616a8c1ea2f1ad09fd9cebb65efea1960a1bfee3

SHA512
f9d41c6324080fea206b9db08f5ad1bf09f743d1279d100c09520017511aadbec7d84848a625b180ee9e26ca693c786edae48e5eb56740487a3198ba92336075

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUsK.exe

Filesize
501KB

MD5
7299b654a0d0f4661c288dedfa58660c

SHA1
101c44fdf438528a75a4e3b188e9fe9fcf812608

SHA256
bb8760c7a53288298cced91d990fedc0e1ab86c743f8b0568134925e6fbe9369

SHA512
82db4fd36b84b765e3520c6fdbff13279851fcd0de58de8a172bdb33cb5f89d712e48dbf279a38e3e1c480951e884c0813d94657d1e3a6c76638a47e8a4cfe5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEgi.exe

Filesize
5.0MB

MD5
8a650332bf976e26a327dc9ddfce7ca9

SHA1
e13bfcd4ea7b4c7403d7e0ce654c8dc4aefacf17

SHA256
557a3589b744f6dec5e23f187679e297e1b9743a94e8e28c3f137ef0457b123f

SHA512
0758bacc1f53e34b401756cfb9127baa931c064f0870409dd03727ba164d7c48cd3eb2c12fa3384e7b5121aa3586eb87c00cac211f84b2ddfb082177b2614a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAYA.exe

Filesize
439KB

MD5
e69201b1294ab5db0af3061083ab1f64

SHA1
3aaa08e54966f39e30486e5a4c67c1a388777e3e

SHA256
acf9afaddc114f8f1ada878f5b3691ef0c200d3258eaa7e19f0c26f17f8ac1bf

SHA512
0341b66473c9b5bfb51eb077ea081671c46083867ee00cf835596b18f41732b4bfcdd6e48d760753716947577334186943fc587f2b03d9eecd495649bd51c7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAAg.exe

Filesize
563KB

MD5
f93722057ca5a4f4a32b588cd925907b

SHA1
5d5bf29c584bdf1928169f17871b2d247e9adb89

SHA256
1334b473e791e605a983d93204ddf40f16472a8ee939fb6b850eb8149fbc20cd

SHA512
430401e9ea646ea43392ad61656b5192facaa404d8f40cfa2c60e390812c322ab3b1a07564cdf693286eb574a6c55352c359893ea5ef7c774c94b3fec66065cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYAe.exe

Filesize
479KB

MD5
a1ad51e3d3e49ea82b7bcb623e5e0a9f

SHA1
57559a8fd5bb106af8b2e46afba64d0668d4a9f4

SHA256
179d2f7f1c2dd1e2032d6b47b0432e20c8e6146430fbe16505dd86e174d0a787

SHA512
49895fb0b25b70fbb357e1c0a7e9784285e49be997ff4454aa62450cd9a61f12e82642ddfb0dbcc13bc85d73548af94ce9380231e9b588a11d2e76d8188c25a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIEE.exe

Filesize
438KB

MD5
7ac7f75906c3200bce3d7b392a96f460

SHA1
8333cd27e109614f8adff5b72cd029031f50ae16

SHA256
46f5fbf4983c9ea83557eaac1eb7dffbff537303c48e59c108fd97fe302a19e7

SHA512
8bb0bf8500764fed0056b7240b5bbf5ab7e71598c671b9a9063a34c4edfe9cb213792657d253350c35cfffc5068e544dd433a65ac4bcd943effe0606e9963693

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksMQ.exe

Filesize
673KB

MD5
12b984a14916713169f970e9a5ae9b82

SHA1
04870908691137461a8e9d3c58196fc634bd0bb5

SHA256
b1d20a7486f451f51543407f6cd15981f7c5c16bb6c0f656c9ff88ca0a3fa5a6

SHA512
70cbc59fdb74a96327fc040750c69a3168a1bd2035f95a296275a16982643aa76b5260f267a902dbd1c567187e40336472adc3e48db46c7317ecc29f7eaa10a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUIy.exe

Filesize
436KB

MD5
5c7684782219647a5ad009c99df904bf

SHA1
18f1de9422cff1848f0e9071ea7e28dff25a9ccd

SHA256
76c48511ba021ff2d6368cca70629404a02c634e1cc37ef12305c8c8f6707e38

SHA512
e5baf956fcb3d7edf869ec4c15b3a5d920938d2122a6d0c92a0b4cd90eb321132f468906ff2c7ea4d59031808e9018f473ec6f31c63664c6099b5f63f9830d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkIu.exe

Filesize
436KB

MD5
298c0ce3ddd9ee504fafa985b903da2b

SHA1
808fd9577e1970258842daba23b116a24ecade82

SHA256
b63fb39270e3dc3a5872e9f6700bdd61d57764a2112bd9fbd293529f2652af9e

SHA512
038f730f3d6da44929f108b11f1563f98d7ad73abb7d2f64172d88e7776c4cb0cf0d7caaba319f159f1ae291366c26c06d02e8c36abf1206e06a099ad9827c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAkU.exe

Filesize
440KB

MD5
80de5a705c071889dbde53262fd203c0

SHA1
b5e6eff2f876b8ab5ca4ceb3a87ed2e70c999af3

SHA256
e767e3a1f4b6631c5471ff906ff89c8b4fbca8414209a541fbc7d92aca7f976e

SHA512
7195b2f393183777fe7b6c4523ebfd9a119ddf8b10074e883d834229fe0b47a59d394536b400b46d16def8bd3de0a2e702d069bace67a40c043193588c6908f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIgm.exe

Filesize
438KB

MD5
4c962e6872ee458199b3f2c16a27d896

SHA1
7fdfc7dd3349edba156e270498ad455cc1e258e9

SHA256
fd72aa390262028cf6d32ca5987f09c430029447dca39e2db9beb04e1deaf303

SHA512
37536096e04746928363aff02ad3fc8be5a1f64fa83ae97ba8cd3a77fcb36b1f150f5b841677f41f958990498fae46178950e6876e1e134c4d4632dc35143549

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYkw.exe

Filesize
440KB

MD5
a236fc07a937be9403e98ee31128d656

SHA1
c52587f5a411031a17cb455fca8dbadc627b4be5

SHA256
25fb503d950393ee13675444daa2db26d267894f84ce258a556abf680aa8a06a

SHA512
408c396dc3f987aed0842b22bf8f6c78f3c4ea9b12b6a3a9da021ea1a74a98299609ee0dd64cec2c4c28a73cab22e0c4796c86ded0b44df88c2397903bdd0f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\noEC.exe

Filesize
450KB

MD5
a01122032cb366eebe72aadd7aaa5d2f

SHA1
06f606c523360ba440c2f7de257a3982199774d3

SHA256
a5580cb0b7f4a92b3b914970ebf80eaa19dcbb811e2f44df085b14d7f72ac2af

SHA512
15e71cb00ca3e1b459329e7e93b92554fd8f55f0483d5741d2fcf568d36b03419c55b22ff08cf04a10ddca57405baac22fbf379ae4e85be9020e5bceb9b65930

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMoK.exe

Filesize
440KB

MD5
785d3351bb1fab6461008ddd5001df90

SHA1
9aadc8f45739c1f2bd2d20ae968705e873127638

SHA256
a3e62884cd4cbd7be5706f587e5a6195ce1f7b69b0fb6aa2a50cf95bcd08347c

SHA512
35314cc600f2539da97c01d16ed1aac820e83d2fd57a52755f66b2cdbdf3daa6c9acb638664aa5c76aabf23e0f141c9221ee1dc46c5adf7d344d5a2da0b96a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQos.exe

Filesize
436KB

MD5
97d5995e8f71117b75f25aec38a12808

SHA1
3177a7ab072473e9dcea618a398e5e802d323eec

SHA256
b01fc90f589404bd96b80d7a9974fdca6f3e0f4d04e7dba633681a0079354b6a

SHA512
7bf9becdabe618b636ba6d97a3a3e20483e3750b8bbfec1dfd0dada42bafca5782695b9315a8a25db1bf93d417d1571859e86e395e598556d515c4b27cc1c837

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiIQUAQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMcw.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMQE.exe

Filesize
1.1MB

MD5
62db648bc1420db12815a82dcbe0cf89

SHA1
6136d8b0d8d75b807b5c05aa94858ca741718031

SHA256
79fc577764b8e87b13cb2877615a41af1c8d483a3bf9a27932e958d85a295247

SHA512
35119d28c6c1684af286cf08efd232b5757c16265e92f6c3a2cbabe0566728e50de5ffd9b10590a955082db9214acde5b48fb6e6fd08099e5a6f0abb19573390

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwk.exe

Filesize
435KB

MD5
9a2303b1a3a1a51738d7e593d6b33cfb

SHA1
fe17025742097fa698b462d47f4755c1269db890

SHA256
32d7243f03ab44313ac710c557a85057f767217840033a5822706813995e2fd1

SHA512
e79f9f94263ae0312ef87dc36ad2e2fd7de5d94eb6e0c86b457b6286abd38187e5ef866a44f42b6bf6e91f3d7f04db95e9001e5c05a62d9192249da50c4b1558

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUYU.exe

Filesize
436KB

MD5
a6384dda84c5fa812d8612445e29cb2b

SHA1
41f6042c3f5daaa67b51257957523e91b4ec719f

SHA256
249e0d27d8832c28d8aab795348768a2b82eba8de222048b1ccf0e7751fd01d5

SHA512
4d51e5fb5807d3f5b84cc6e3704773444690ac49f5c78dbd5ad31fd44fc7a1e9f678acedb9e21004d75c902edaf7c2434ebef6a7f9ddac309c6dec43f928b370

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgk.exe

Filesize
437KB

MD5
aa1844d9a9e2ad72cccd1e72a7b151e7

SHA1
06d64efc4341328befe7be28ebfac9140aa300b3

SHA256
12d617906bf1c397b704af4c5d78999ef0a6bf9720763ee74a6bdace96f29018

SHA512
3e47b2bfb932872a59fd183060e0c1ded39d9f24bc76a50a33fd8edbf9c3e4b7450b9f5b1f201f38705d4568cf723c54199dab02b16ef7d73a86fbe90523c735

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkos.exe

Filesize
446KB

MD5
460d96c3b41eebae55f806faa12ccd3b

SHA1
abbaab9bb0b888e1c32e7dbf512be62cc25468e6

SHA256
b40f5c499b8ceb4366bc9f40f5d2951fe35209ed8e6023f13337298ca1536b05

SHA512
8417e44dc0addafe7baade3919020804633940b9529fca7765fe9b161ef6ade6641a5f26a151b355ca0d54cd1c0668f66954e153dbc60e48e77998c35d57a92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsUY.exe

Filesize
256KB

MD5
30da03cb6e26b194c8dc03fa5489a1a8

SHA1
5bf87fe9743d00e07c1e60d2a3b6aa3de40e8207

SHA256
c16bfe8d68ff4ea25d89aa8dcd2d0622fcdaa9c8fdac237e998cae583d4340ce

SHA512
c11bb517860faf9483f7282e44f4b40bf720480cad2fb2c1551fd10fa011eb1ef00d40cead873f27e62c61659d638f4b265496103ad4d27413736fc3a5ba3bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGEs.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkMc.exe

Filesize
462KB

MD5
187e70709117a4645357bc032d879fab

SHA1
1d4de5ca5565ca2102d502b3279c104699397f59

SHA256
122e20f9cc8311b9f3ec91661281bb8e9ecfbbc31e579e166d3b48a41c34ce54

SHA512
bfb834d906a11a1123c9e5f74038e6c76eaaba05073111e42c3bf6bf1602ba32084f884a3ff7f0b11e36ee6c806837cfce1abe91186cb2700584c5a9da79d18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAkq.exe

Filesize
1.0MB

MD5
4e84e2f09027014e2c59a3ae693510d4

SHA1
7c3ba313aa5777757f87210c401f564f69bb7f3b

SHA256
e8afa6e61d260d74fa3d41ec7421d981d78aa6a7db271ab588866b3a57155950

SHA512
dbb727ea02d02e3ec2c6f15e0538b784bb02cd3c6dcd3b4269b7a35c16bfcb78e59733b666f82b57051c0b479e5daf8cef739c493670f9a30c2e7d09c3bea177

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYQ.exe

Filesize
1.0MB

MD5
89d44afd74b7354386b45816a24b1d5d

SHA1
b7d12c3448ff585942f900a6098a34b6c68d276f

SHA256
de5cdbfa02e1df8f152f7d2b87be83e3c959d92477344b298bdb955e26225898

SHA512
7ba6560d5e4579c032198ab344856ac9dd0a4ce2fc2f258d276294d97f1e85aa827e105ef34ca7b577f1088f0d6f9dd98fd35e239aea0166a095103213cd9c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygIi.exe

Filesize
438KB

MD5
1387e399b0c6791f15fac24246fc02a2

SHA1
6519218f64b9601c89c44d183f3d1f3a74c61774

SHA256
4c72dbd914d19752578b5390270a815f0c5d8a85213cb93e0d166d7363ebc8f7

SHA512
537a1e4a9ce3bebf031b8973d24111ea6ad1184c53f3a4105fd1089cf9be47368cc7d145854fbe211379614438a316ba96c0db6734d1414b5fcf56918d2023f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykYa.exe

Filesize
439KB

MD5
d29410d1f1668d4965f36011656e776d

SHA1
2ada67c99c8843a98f6865b38a32dc698b47f917

SHA256
581e40201adc049c8e9fc5c86305206967485460fd885c0bc4d82984eea150bf

SHA512
fe8378ab37d12d3dc0557bde88be747fca3a7e400e5c875306989216e06db9bdecce2937e52d10d5972cf687a51d313edaf3a04a82688920b436a4d426f335e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSQw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\sgYEEgYo\LwcwYwAE.exe

Filesize
431KB

MD5
650354face199436986a63261acb5437

SHA1
1cce819aed21caca4fe8b7a03638c672f711ef1e

SHA256
372805d1aa316a362b0486f136d7262b3ce356971ae72192aee7dea0799a6abb

SHA512
cf944537d01301322cb31eca0f22540b2d96d7aed68f91b285c80b242b1eb35df59013b6fb5911be7f4221a3ef546eb22516d02206ee586322b10764c6473702

Download Submit
memory/436-324-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/840-474-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/840-465-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/924-65-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/924-53-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1308-113-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1308-101-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1336-1161-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1336-1178-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1368-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1368-126-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1616-501-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1616-514-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1804-546-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1804-601-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1932-210-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1932-184-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2324-355-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2548-830-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2548-865-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2832-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2832-78-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3172-100-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3172-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3212-340-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3316-454-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3316-464-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3476-908-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3476-758-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3476-787-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3476-882-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3476-1048-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3476-1002-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3536-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3536-31-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3588-30-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3588-42-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3748-90-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3748-79-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3808-116-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3808-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4492-131-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4492-117-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4536-94-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4536-105-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4664-142-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4664-127-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4760-680-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4760-643-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4852-145-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4852-159-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4860-732-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4860-682-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4892-500-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4892-475-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4944-1154-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4944-1120-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4976-510-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4976-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4976-93-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5084-918-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5084-953-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5100-52-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5100-41-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download