88e29b165f22416dab1e54c1470b5c054ec666e3ba41b0c4b6b750d034e3f759

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 17:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc0aba20f7299856b64bb471442d784b.exe
Size

484KB
MD5

cc0aba20f7299856b64bb471442d784b
SHA1

d2e72b45d5a6f08210469ed14960a8461b04a829
SHA256

88e29b165f22416dab1e54c1470b5c054ec666e3ba41b0c4b6b750d034e3f759
SHA512

cc93aa2c1a48b08230609a7084db165148d509203360968d7152b52b8c201e5949b6f5a7ad65677371dd399f493c1b3dcec2f819b46524fe673c287ba799124e
SSDEEP

12288:qpL0oRVMMIqjBah9pZgv8TzNDf9jyFQfDQtgUnx8EOW4:rJEBmH+v8FD1LUnx8EO

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	RUAAsAEE.exe

Executes dropped EXE 3 IoCs

pid	Process
1308	HcAYIgsM.exe
3992	RUAAsAEE.exe
4436	jCsUcoEg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RUAAsAEE.exe = "C:\\ProgramData\\cOEYwYco\\RUAAsAEE.exe"	cc0aba20f7299856b64bb471442d784b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HcAYIgsM.exe = "C:\\Users\\Admin\\xWgwcQgQ\\HcAYIgsM.exe"	HcAYIgsM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RUAAsAEE.exe = "C:\\ProgramData\\cOEYwYco\\RUAAsAEE.exe"	jCsUcoEg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RUAAsAEE.exe = "C:\\ProgramData\\cOEYwYco\\RUAAsAEE.exe"	RUAAsAEE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HcAYIgsM.exe = "C:\\Users\\Admin\\xWgwcQgQ\\HcAYIgsM.exe"	cc0aba20f7299856b64bb471442d784b.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xWgwcQgQ\HcAYIgsM	jCsUcoEg.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	RUAAsAEE.exe
File opened for modification	C:\Windows\SysWOW64\sheEnableSave.ppt	RUAAsAEE.exe
File opened for modification	C:\Windows\SysWOW64\sheSelectRestart.mp3	RUAAsAEE.exe
File opened for modification	C:\Windows\SysWOW64\sheStopInstall.xlsx	RUAAsAEE.exe
File opened for modification	C:\Windows\SysWOW64\sheSubmitUnprotect.jpeg	RUAAsAEE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xWgwcQgQ	jCsUcoEg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3888	reg.exe
2356	reg.exe
2948	reg.exe
924	reg.exe
3152	reg.exe
1488	reg.exe
1676	reg.exe
2988	reg.exe
3524	reg.exe
1916	reg.exe
4424	reg.exe
4452	reg.exe
4768	reg.exe
2988	reg.exe
4536	reg.exe
2992	reg.exe
412	reg.exe
4172	reg.exe
1332	reg.exe
2352	reg.exe
3520	reg.exe
812	reg.exe
2564	reg.exe
4468	reg.exe
3428	reg.exe
2740	reg.exe
3076	reg.exe
1736	reg.exe
4036	reg.exe
2564	reg.exe
1132	reg.exe
3544	reg.exe
1708	reg.exe
1104	reg.exe
1840	reg.exe
4380	reg.exe
4444	reg.exe
2180	reg.exe
4112	reg.exe
1892	reg.exe
1488	reg.exe
2492	reg.exe
4660	reg.exe
4424	reg.exe
5112	reg.exe
3936	reg.exe
3976	reg.exe
4488	reg.exe
812	reg.exe
644	reg.exe
920	reg.exe
1692	reg.exe
3084	reg.exe
3488	reg.exe
4500	reg.exe
3104	reg.exe
1128	reg.exe
3976	reg.exe
2328	reg.exe
4488	reg.exe
396	reg.exe
2264	reg.exe
3164	reg.exe
2200	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	cc0aba20f7299856b64bb471442d784b.exe
3148	cc0aba20f7299856b64bb471442d784b.exe
3148	cc0aba20f7299856b64bb471442d784b.exe
3148	cc0aba20f7299856b64bb471442d784b.exe
1216	cc0aba20f7299856b64bb471442d784b.exe
1216	cc0aba20f7299856b64bb471442d784b.exe
1216	cc0aba20f7299856b64bb471442d784b.exe
1216	cc0aba20f7299856b64bb471442d784b.exe
1496	cc0aba20f7299856b64bb471442d784b.exe
1496	cc0aba20f7299856b64bb471442d784b.exe
1496	cc0aba20f7299856b64bb471442d784b.exe
1496	cc0aba20f7299856b64bb471442d784b.exe
4884	cc0aba20f7299856b64bb471442d784b.exe
4884	cc0aba20f7299856b64bb471442d784b.exe
4884	cc0aba20f7299856b64bb471442d784b.exe
4884	cc0aba20f7299856b64bb471442d784b.exe
3428	cc0aba20f7299856b64bb471442d784b.exe
3428	cc0aba20f7299856b64bb471442d784b.exe
3428	cc0aba20f7299856b64bb471442d784b.exe
3428	cc0aba20f7299856b64bb471442d784b.exe
3060	cc0aba20f7299856b64bb471442d784b.exe
3060	cc0aba20f7299856b64bb471442d784b.exe
3060	cc0aba20f7299856b64bb471442d784b.exe
3060	cc0aba20f7299856b64bb471442d784b.exe
3552	cc0aba20f7299856b64bb471442d784b.exe
3552	cc0aba20f7299856b64bb471442d784b.exe
3552	cc0aba20f7299856b64bb471442d784b.exe
3552	cc0aba20f7299856b64bb471442d784b.exe
4488	cc0aba20f7299856b64bb471442d784b.exe
4488	cc0aba20f7299856b64bb471442d784b.exe
4488	cc0aba20f7299856b64bb471442d784b.exe
4488	cc0aba20f7299856b64bb471442d784b.exe
2492	cc0aba20f7299856b64bb471442d784b.exe
2492	cc0aba20f7299856b64bb471442d784b.exe
2492	cc0aba20f7299856b64bb471442d784b.exe
2492	cc0aba20f7299856b64bb471442d784b.exe
3788	cc0aba20f7299856b64bb471442d784b.exe
3788	cc0aba20f7299856b64bb471442d784b.exe
3788	cc0aba20f7299856b64bb471442d784b.exe
3788	cc0aba20f7299856b64bb471442d784b.exe
776	cc0aba20f7299856b64bb471442d784b.exe
776	cc0aba20f7299856b64bb471442d784b.exe
776	cc0aba20f7299856b64bb471442d784b.exe
776	cc0aba20f7299856b64bb471442d784b.exe
2976	cc0aba20f7299856b64bb471442d784b.exe
2976	cc0aba20f7299856b64bb471442d784b.exe
2976	cc0aba20f7299856b64bb471442d784b.exe
2976	cc0aba20f7299856b64bb471442d784b.exe
5016	cc0aba20f7299856b64bb471442d784b.exe
5016	cc0aba20f7299856b64bb471442d784b.exe
5016	cc0aba20f7299856b64bb471442d784b.exe
5016	cc0aba20f7299856b64bb471442d784b.exe
4476	cc0aba20f7299856b64bb471442d784b.exe
4476	cc0aba20f7299856b64bb471442d784b.exe
4476	cc0aba20f7299856b64bb471442d784b.exe
4476	cc0aba20f7299856b64bb471442d784b.exe
4604	cc0aba20f7299856b64bb471442d784b.exe
4604	cc0aba20f7299856b64bb471442d784b.exe
4604	cc0aba20f7299856b64bb471442d784b.exe
4604	cc0aba20f7299856b64bb471442d784b.exe
644	cc0aba20f7299856b64bb471442d784b.exe
644	cc0aba20f7299856b64bb471442d784b.exe
644	cc0aba20f7299856b64bb471442d784b.exe
644	cc0aba20f7299856b64bb471442d784b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3992	RUAAsAEE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe
3992	RUAAsAEE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 1308	3148	cc0aba20f7299856b64bb471442d784b.exe	90
PID 3148 wrote to memory of 1308	3148	cc0aba20f7299856b64bb471442d784b.exe	90
PID 3148 wrote to memory of 1308	3148	cc0aba20f7299856b64bb471442d784b.exe	90
PID 3148 wrote to memory of 3992	3148	cc0aba20f7299856b64bb471442d784b.exe	91
PID 3148 wrote to memory of 3992	3148	cc0aba20f7299856b64bb471442d784b.exe	91
PID 3148 wrote to memory of 3992	3148	cc0aba20f7299856b64bb471442d784b.exe	91
PID 3148 wrote to memory of 3668	3148	cc0aba20f7299856b64bb471442d784b.exe	95
PID 3148 wrote to memory of 3668	3148	cc0aba20f7299856b64bb471442d784b.exe	95
PID 3148 wrote to memory of 3668	3148	cc0aba20f7299856b64bb471442d784b.exe	95
PID 3668 wrote to memory of 1216	3668	cmd.exe	97
PID 3668 wrote to memory of 1216	3668	cmd.exe	97
PID 3668 wrote to memory of 1216	3668	cmd.exe	97
PID 3148 wrote to memory of 1836	3148	cc0aba20f7299856b64bb471442d784b.exe	98
PID 3148 wrote to memory of 1836	3148	cc0aba20f7299856b64bb471442d784b.exe	98
PID 3148 wrote to memory of 1836	3148	cc0aba20f7299856b64bb471442d784b.exe	98
PID 3148 wrote to memory of 5040	3148	cc0aba20f7299856b64bb471442d784b.exe	99
PID 3148 wrote to memory of 5040	3148	cc0aba20f7299856b64bb471442d784b.exe	99
PID 3148 wrote to memory of 5040	3148	cc0aba20f7299856b64bb471442d784b.exe	99
PID 3148 wrote to memory of 3488	3148	cc0aba20f7299856b64bb471442d784b.exe	101
PID 3148 wrote to memory of 3488	3148	cc0aba20f7299856b64bb471442d784b.exe	101
PID 3148 wrote to memory of 3488	3148	cc0aba20f7299856b64bb471442d784b.exe	101
PID 1216 wrote to memory of 3580	1216	cc0aba20f7299856b64bb471442d784b.exe	104
PID 1216 wrote to memory of 3580	1216	cc0aba20f7299856b64bb471442d784b.exe	104
PID 1216 wrote to memory of 3580	1216	cc0aba20f7299856b64bb471442d784b.exe	104
PID 1216 wrote to memory of 2072	1216	cc0aba20f7299856b64bb471442d784b.exe	106
PID 1216 wrote to memory of 2072	1216	cc0aba20f7299856b64bb471442d784b.exe	106
PID 1216 wrote to memory of 2072	1216	cc0aba20f7299856b64bb471442d784b.exe	106
PID 1216 wrote to memory of 1812	1216	cc0aba20f7299856b64bb471442d784b.exe	160
PID 1216 wrote to memory of 1812	1216	cc0aba20f7299856b64bb471442d784b.exe	160
PID 1216 wrote to memory of 1812	1216	cc0aba20f7299856b64bb471442d784b.exe	160
PID 1216 wrote to memory of 1840	1216	cc0aba20f7299856b64bb471442d784b.exe	162
PID 1216 wrote to memory of 1840	1216	cc0aba20f7299856b64bb471442d784b.exe	162
PID 1216 wrote to memory of 1840	1216	cc0aba20f7299856b64bb471442d784b.exe	162
PID 1216 wrote to memory of 2580	1216	cc0aba20f7299856b64bb471442d784b.exe	109
PID 1216 wrote to memory of 2580	1216	cc0aba20f7299856b64bb471442d784b.exe	109
PID 1216 wrote to memory of 2580	1216	cc0aba20f7299856b64bb471442d784b.exe	109
PID 3580 wrote to memory of 1496	3580	cmd.exe	114
PID 3580 wrote to memory of 1496	3580	cmd.exe	114
PID 3580 wrote to memory of 1496	3580	cmd.exe	114
PID 2580 wrote to memory of 3928	2580	cmd.exe	115
PID 2580 wrote to memory of 3928	2580	cmd.exe	115
PID 2580 wrote to memory of 3928	2580	cmd.exe	115
PID 1496 wrote to memory of 1548	1496	cc0aba20f7299856b64bb471442d784b.exe	116
PID 1496 wrote to memory of 1548	1496	cc0aba20f7299856b64bb471442d784b.exe	116
PID 1496 wrote to memory of 1548	1496	cc0aba20f7299856b64bb471442d784b.exe	116
PID 1548 wrote to memory of 4884	1548	cmd.exe	118
PID 1548 wrote to memory of 4884	1548	cmd.exe	118
PID 1548 wrote to memory of 4884	1548	cmd.exe	118
PID 1496 wrote to memory of 2572	1496	cc0aba20f7299856b64bb471442d784b.exe	119
PID 1496 wrote to memory of 2572	1496	cc0aba20f7299856b64bb471442d784b.exe	119
PID 1496 wrote to memory of 2572	1496	cc0aba20f7299856b64bb471442d784b.exe	119
PID 1496 wrote to memory of 2740	1496	cc0aba20f7299856b64bb471442d784b.exe	120
PID 1496 wrote to memory of 2740	1496	cc0aba20f7299856b64bb471442d784b.exe	120
PID 1496 wrote to memory of 2740	1496	cc0aba20f7299856b64bb471442d784b.exe	120
PID 1496 wrote to memory of 868	1496	cc0aba20f7299856b64bb471442d784b.exe	121
PID 1496 wrote to memory of 868	1496	cc0aba20f7299856b64bb471442d784b.exe	121
PID 1496 wrote to memory of 868	1496	cc0aba20f7299856b64bb471442d784b.exe	121
PID 1496 wrote to memory of 3504	1496	cc0aba20f7299856b64bb471442d784b.exe	122
PID 1496 wrote to memory of 3504	1496	cc0aba20f7299856b64bb471442d784b.exe	122
PID 1496 wrote to memory of 3504	1496	cc0aba20f7299856b64bb471442d784b.exe	122
PID 4884 wrote to memory of 4844	4884	cc0aba20f7299856b64bb471442d784b.exe	127
PID 4884 wrote to memory of 4844	4884	cc0aba20f7299856b64bb471442d784b.exe	127
PID 4884 wrote to memory of 4844	4884	cc0aba20f7299856b64bb471442d784b.exe	127
PID 3504 wrote to memory of 1864	3504	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
"C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\xWgwcQgQ\HcAYIgsM.exe
  "C:\Users\Admin\xWgwcQgQ\HcAYIgsM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1308
- C:\ProgramData\cOEYwYco\RUAAsAEE.exe
  "C:\ProgramData\cOEYwYco\RUAAsAEE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
    C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        8⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        10⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        12⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        14⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        16⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        18⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        20⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        22⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        24⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        26⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        28⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        30⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        32⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        33⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        34⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        35⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        36⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        37⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        38⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        39⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        40⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        41⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        42⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        43⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        44⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        45⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        46⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        47⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        48⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        49⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        50⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        51⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        52⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        53⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        54⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        55⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        56⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        57⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        58⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        59⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        60⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        61⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        62⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        63⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        64⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        65⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        66⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        67⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        68⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        69⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        70⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        71⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        72⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        73⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        74⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        75⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        76⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        77⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        78⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        79⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        80⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        81⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        82⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        83⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        84⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        85⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        86⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        87⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        88⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        89⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        90⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        91⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        92⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        93⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        94⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        95⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        96⤵
        
        PID:3836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        97⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        98⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        99⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        100⤵
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        101⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        102⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        103⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        104⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        105⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        106⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        107⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        108⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        109⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        110⤵
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        111⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        112⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        113⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        114⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        115⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        116⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        117⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        118⤵
        
        PID:2016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        119⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        120⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        121⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        122⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        123⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        124⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        125⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        126⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        127⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        128⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        129⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        130⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        131⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        132⤵
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        133⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        134⤵
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        135⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        136⤵
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        137⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        138⤵
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        139⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        140⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        141⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        142⤵
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        143⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        144⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        145⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b"
        146⤵
        
        PID:1988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b
        147⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EawEgogc.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        146⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsYwAwAc.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        144⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWkwsMEM.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        142⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaIcEwIY.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        140⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laUokMAs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        138⤵
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yukQUQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        136⤵
        
        PID:1636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYoMEcEI.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        134⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEMEAMMk.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        132⤵
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gawIkkUk.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        130⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUooEAUc.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        128⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAQAYcII.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        126⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCAgcwUg.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        124⤵
        
        PID:684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HywAYQwk.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        122⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwocQAgI.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        120⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAEYoMcI.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        118⤵
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSsgkQAA.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        116⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkwskAIU.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        114⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiAMEoMM.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        112⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWQccIgw.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        110⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqkcEIMo.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        108⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RogYwkUA.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        106⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGwQoAEE.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        104⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWEkMEoo.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        102⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIIAIsYw.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        100⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQwoIsgs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        98⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGAUYwIw.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        96⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwwIYwYs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        94⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcIAgwQk.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        92⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKwscIgc.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        90⤵
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUEkYUwk.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        88⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeoIIEME.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        86⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEcwIYsM.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        84⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycUcEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        82⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeUEcMUs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        80⤵
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsIAUMYs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        78⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIMkoMAI.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        76⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIUgoosc.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        74⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQQYgssU.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        72⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zooMUAIY.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        70⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmgckEww.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        68⤵
        
        PID:780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyEcwIsU.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        66⤵
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwcIocMs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        64⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKQIgMkE.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        62⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwIAEgAA.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        60⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsAsUMIs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        58⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkEMIMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        56⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csUQgAkE.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        54⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwgAsAcc.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        52⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KosIUsEE.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        50⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMooYIww.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        48⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCsEwEAY.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        46⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIcwsUos.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        44⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boMcMcYE.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        42⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEkoAoog.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        40⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKgksgIw.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        38⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcAwsEII.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        36⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMQQMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        34⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUkUksoM.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        32⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mioMgwAs.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        30⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcgMUEMU.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        28⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suwAgcwg.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        26⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiAUAYQg.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        24⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsAQssMw.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        22⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGwwwQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        20⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcgEkkYo.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        18⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUcoAAIE.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        16⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIQMQEwM.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        14⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCAkUAss.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        12⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SygUIAUo.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        10⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyoQwgIY.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        8⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1696
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2740
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYwYEgMw.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIIYQMQk.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5040
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egEcUAcc.bat" "C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b.exe""
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4476

C:\ProgramData\ZEIsYwgs\jCsUcoEg.exe
C:\ProgramData\ZEIsYwgs\jCsUcoEg.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4436

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 1Gx5UQmfEUK+KU0D5nbhgQ.0.2
1⤵
PID:3548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3924

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ZEIsYwgs\jCsUcoEg.exe

Filesize
433KB

MD5
4f7d74f3706c16e6630e83a9ae6b5286

SHA1
9b6d3c8bab10b3309955bed0d8a08a25003ee74d

SHA256
712969c5a59861f7c035503fb491aa017fa6006fbb10feb8949c15ca8dda271b

SHA512
18563cd33720d7d3956e647a08a3629117592643adeb9b2cc57b6b1ce7ba1da7d9e510ab4979cf961a9b25b41033113c9db1f9ed759a0bf4c6bc6092f7163129

Download Submit
C:\ProgramData\cOEYwYco\RUAAsAEE.exe

Filesize
434KB

MD5
2b8f9fbfc9c20d295c78bc0dd5af882b

SHA1
b8c29b9a5f6ca3a0646146bdfea988c2332705c1

SHA256
4c4bb20444334ab5397fe881070d9db0840015b787e87420c213a5309388ef83

SHA512
38cc1fdcf9931d0fc9947f23f8fe680ab03e08143388da0759579615f6e80198b1c14d8e108820e6e8aa66b6a30e68700a6b37a456f014424f9a862a11a7cfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIIYQMQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAEy.exe

Filesize
883KB

MD5
74930e1e39d5601d3c68ae2f245255e2

SHA1
3332d0c0a8e9db243f280dae75afa99e2121cafb

SHA256
198527fee2a7ce7497d8e523922f51b8036b94ee0b8b605cfc6af898ed244263

SHA512
4906f21e643ca027aadca1af8f2c504e62fddf9899e94cd20e4a7540be42340c3cb658757e49beae8adb7a263b72f71764c3e080e9dbdcd7eb920fa81eb9e329

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwUc.exe

Filesize
291KB

MD5
e3e4a0ee4d1c7a269dad0933c43b1861

SHA1
485d73731d6d18d16aa6c174966ce304a364ef5c

SHA256
bce6bbc15e5f9d47fa896d5fdc35ab7d21e1084a9d7703420cd11e7f994badbb

SHA512
4a9b9a7bc63a37dfb358f6b3683e042988a62323029378518f8bfba6466b62898ebc9ad5cfe07fae67995e3a62aee449bc9d6065dd6fd33118b9815b6976fc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAIC.exe

Filesize
439KB

MD5
7a0203e3a1415c505b48c170fef2b96d

SHA1
f914beae1fa004fe2fbd98a65d4828cf28fb2288

SHA256
4d293fe4631b441798c973f01b49b1d99569d75370faad540c8b01cf95371fcf

SHA512
349475d400319d2bf85a5a594eb97b6905df207f5f5b7474460ac68d7f06fe09c2fc9998fb63b45bd25ce4f9aa8df2444e1cb32860f61a340c5ba6a0c44747ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIcm.exe

Filesize
442KB

MD5
6ae381272fcdf481c55ae8193728bbdc

SHA1
b9bc84fd1dfbf4ed240cb1c302f4e7a8ab07f34c

SHA256
c32f0f4e4da63e86aea3e277248280bedfa62123aed307fb7abd1a697a31407c

SHA512
0ede89f0fb57325fdec05327a5eaa7e206faa2005a7cdfe5695656fb353f81c29897c4565967f520ef513ac858a112b7305241281197bdb4c0764e2c9fba45cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQUW.exe

Filesize
437KB

MD5
b7073038a19f727582fca99f762c717e

SHA1
0e212d03a82f674042a6b47b3880c1ca6f806d04

SHA256
0def42111d6b0fa309df15fdf509f294953df48a9d63e11172c5f33a62492f0e

SHA512
2100d6db215f3d1e8fd9f39cb3a683b4071cc2f9c9eb270b8769893de7b4374db667adaa332b033ea4cac6c9cc296904d665eaeb1d80f1320e55ae8597ef2c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEe.exe

Filesize
441KB

MD5
ca1d48b0c4c8daf7d30ea5c698ee1e2b

SHA1
9d7d56524d82a6f7feedf964c832e025352c28df

SHA256
5395dae912b61b484f3f8bc4d5527c1c7b9416f21df24bc40f3f40f81980ed60

SHA512
a1f1e331c1e2600a539d570568538878ab016e7abe3531a60d3f350cdab480385f4bc7df1f6341ba0edfd35ea16e88343eac5a20131e4311df8621e18bef66de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwgm.exe

Filesize
2.0MB

MD5
72902b16956300fc5ac8b72c1ed3c878

SHA1
d9e887fa2bf011639c67e09b53fc3787e5af89b5

SHA256
eec748bbb91d3f5a35113ad5171d08ed6ee94b73d4000026de29e3f363cc1f09

SHA512
ef07af8689886de5290effe121d1693e4b4c3de48c82fc7d45a8734f94d6bd4f20381817ffb283d0bd47410474818ce4306e612dee64853a6b4f17ba57bc7a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAwc.exe

Filesize
5.5MB

MD5
10b0794d7386556ff09bdca7ec748bad

SHA1
8d7e9f4d8f1d509cb0bcfeae9cc1b5e9756858a6

SHA256
498eaaf087ceb440ecf061b9f4a23bae55f0d90a2d8545bb5d87eba7dc7a05ff

SHA512
cfce2a4667cb13825b55d1a23f07134c26e9a36a63fe7a5c57e191cb14ca55695de84574ad960821caa5a65489713ee6755b3626b29230f56b8bcda188a3d770

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMYe.exe

Filesize
1.0MB

MD5
0a8c38dc9ef6b41dc15295f6bbc7b9ba

SHA1
ae7ee2bcea990eb5e42693ba3515f535e116e7ac

SHA256
9ad09a708ca1a9b30b8bd57f02091042808c64bbc935c34ad5c977679e21c8c4

SHA512
97a568aa557939964eba9a44b7967f4597c23c42ebf2748c1017b7eaadfa2382736530acb263b6515a01747fcce45950ddd534b0a0b28564307742eb805804d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMwA.exe

Filesize
439KB

MD5
58d154f10524a2c52f0caa8cab4c52ea

SHA1
13d65a0dbcfc0f0f04d4e179284c18b70e5c051f

SHA256
b474c923c006690bfd505640214c1544629a88452c701e76c9bd5b99facabf7c

SHA512
b2872a906621e9c17ffbdd43e7b3dc72c1dcb6282265f493fe03c3368027847b3b2435cd3d5d9aa4a6ad442a256631aaeb88de4454ecc8efd84930551e4fd4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\FokY.exe

Filesize
462KB

MD5
91171ab71295b996ea618d094252d465

SHA1
ca2c83931e894c4a6789d63788e5b7d4044e2814

SHA256
8dde145a5249097b18dbcc855ffd9a1c2fb1e75c2e39ac042868f19ffbfb69ea

SHA512
734b37be3fafd54f438764f7b4645c712dd50a8ac0f63191171f7779aa81a7cdcdd860637d3d8b4ea20db52d2ed7da0a8ffef73df37d850fe3cea815217833ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fose.exe

Filesize
438KB

MD5
8fe4103dd4dafd98eca51d74ad9abc48

SHA1
529bdb1658d123c7751f68451e067879a75db79d

SHA256
89cc774b46dbec47a4bb03aa44e952fac1ca0f94b2378a20ed37e52b9c94f1d1

SHA512
6e811a6e7f9033e98131a2b2c665456abdeb98060aa7ce539770514080d52f98d38ed77d698a82379a6543cdc83e066ef6ab617c2fc22dc6b39f4b75d3fd90db

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAkc.exe

Filesize
561KB

MD5
550eb96236a602f7bd1fa10561051d51

SHA1
c5336e907395c15751c1374698e75ce6addd5886

SHA256
9bd7bf1a9e4aab58f59981f34ef90e78ab5372c3a872086845203d81caa7b87b

SHA512
42fa3b96a51de416048d8deaa5a39746e700823d6bfdf81ff0eb8688cb87e85dbe2500f525719167690604f42028ffdf780de2118152620482ce05dc1f74fb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAgQ.exe

Filesize
777KB

MD5
febeb2f841932eaa26328dcb7ea62c49

SHA1
f42fac62b7397ab3137693226eb31ae1424aa7f8

SHA256
7171a8cb190af140d6b6808399d07172fba85a95d360b28ea5ae7693baf96488

SHA512
6a716afb3c9da5872a70b211bb1fcfac9c05eb3dc246fc378e50d7f9decd716516fcd8eae1198ea72c56ffcfd411fd32e8926c70348609aa61285b50afa31c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMIy.exe

Filesize
584KB

MD5
eefe656470a1be70ce036431e46b29ac

SHA1
9673d48c07ce66e9e8693f300f2006a6b1daea42

SHA256
55a25cbb5666722837215ac76623645187904e13c248052e4185ad043622f311

SHA512
933d9bf2a88cae390e5d2896989e0dfdbdac2fe23181eae85668a5432e8dbb41cb43ec0e4952c266d0ac28840b881c13acddc00a4e0209bd4f8682d2ab2e09fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEYk.exe

Filesize
438KB

MD5
b60e5a0380a493f9ce969beb1f262a39

SHA1
ddd86bb63bea08f70e84247f71c45d272d626947

SHA256
453184e78609c634a1d9c0e523cd3fe533b5167c7aab0549dd18facd418f33c5

SHA512
b81c8b91a454604d0c1a97f95399f53c592a0ea97cafc189bb1c158f60615726508d875a4cc8922e8201b423eda0a29dce89ba8b321c8e741e3ed6ccfb522e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUUk.exe

Filesize
727KB

MD5
b871eda28aa33607d41e50ea3e4cdc01

SHA1
2e3b2dd2ccfda4fce0083682fcf7e8abcb868584

SHA256
114972b2292dd55f28f2788c81111315f262d636e0374b6f5ed25def1d5517d5

SHA512
8a9037e76a45514b012c5929df8d22f9443584e06ff30ffbfb82001412eedff3ca76937a29fd54b639b575fd3af29a54aa5980e05e7aea976e6f1a2952a2d23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmkI.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAYe.exe

Filesize
21KB

MD5
c8093fb99f044fea1261f2abef48fec8

SHA1
4bc0d0ccc8fff019865046faa09bb5a64a9b296d

SHA256
663f68bf4d7f21feb85178f9a49afe5e3eb8f04a0f7286e01fcfb8a8c98b0324

SHA512
0d8d7db531515c7e654c1b80d117ff11d78b3c6eeb463b506c7dd7e6bf6d0c6b1acfc96fefd4b4395d4c7d6b7b54b4056b8ee250e890d102f69a7ba4ca18f4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEUy.exe

Filesize
448KB

MD5
74da197d66fc653be293ff8d86a54c0f

SHA1
052d790710168dcaa99b78762e7eca5201141411

SHA256
304180e8753a72b693ab3b27a3d9b01a268e98aa1daf080cf187128267dff310

SHA512
461de827a08793aefdad3dbf82258b5a0aee1f1b0c037e4e883a158f73c31ecfa6bca5b893b6d6f3ad81cd831a6297a8c774f1e5d93af787b8480f471a79891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIcu.exe

Filesize
351KB

MD5
48c27191f7f7766838879423dc4dc303

SHA1
ae341749de05c42ee338cae84f849f9e2788a5df

SHA256
6387af5a4009b13d03c958b644435073cd3eac3f4cdcf2b2d665be81b7e5b36d

SHA512
75f51412f73847017f760c562b91eb5f7908d5522dca7005715d6485e143100e93b243a5f8f85174d72c6681f602ff2645b089adfbfbd2787247f93c350a6829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mokc.exe

Filesize
441KB

MD5
520d254af55365b37928ac52059bc327

SHA1
db9d601782496c027b0fda424ba7f6d76d883266

SHA256
e0408d95098432ed8b2776d6c5dfe8e7f2a05eced986283060a8da931964497d

SHA512
b0eb466aabb481de434e8fe981120fa3050cab7cd61a84a1c812b442fd792849625433fd224e495b35acd4fbff7c09d5033655f013113d0c203728d8942c34d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoUE.exe

Filesize
438KB

MD5
78da0926e94ac0a3ccbf76a74ceee566

SHA1
981c3821b0399a594e1d0ae5cb43babb1c254a7e

SHA256
184d92ad000b43939bff8fbb4cd8af6be6053a866ba1f355426bc4ec6685b868

SHA512
867a010befa8e5b872e2de188219ea8abd13095c051d2f959e5b78a9b3fd4f81d23d9d5ea60fe40a772f5a32ddea137bae4591bf08eaa28d9e53f5dcd29634a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OocO.exe

Filesize
435KB

MD5
35f3c252c7e60dd2fc24db9db1000007

SHA1
980a94b38c4033af2251ad076675ca3499855936

SHA256
bb9e1c6246ec112f96a266681a3ea435765c33a9b6f349afa5c0f4b775a818d6

SHA512
8f7fe764e3d7b17ef42ae7f425ba5670cf023a0b0d5e33dbfdefb133c660394b92a814432729643e7cc2ae4777503a8121bc7b71e23579e7bb683e087cdb134b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Psoq.exe

Filesize
879KB

MD5
a9b6ab28d8a21a896054be427ff232b9

SHA1
b2e8bfa8871aa030dce387c23fb0cc419c2c29d1

SHA256
10e7175c9066d363236b2e7b723673332eafe0c2343edd20932ccefada0a92aa

SHA512
04a0b7843eae93e60092de65cab50c5bf427b37f52db83b864003d18e45268fcc0a6e3c3d03a11df1da952a65db8a63684f55af63fd3a9200d261488b19db26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIIk.exe

Filesize
435KB

MD5
270225ceb52035fd47a0c011654ebb76

SHA1
3038493fc0c6b61591e35c3a88b41b72976de937

SHA256
fa2d7e43be67a31662f64572e468b253f3360ed30e43a8fbe6857235bf72905f

SHA512
ffe65243c50cee8ebdb2b0588d1e58f232b28627030493a956f124d4c5298fb1c59ebc2726e173d85b6971afbb19aad94d18e1286c79c7ebb4a4ae58a828ab54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rcsu.exe

Filesize
220KB

MD5
ca8a39bd7d0c80c1381ffdf7dd1e2b7b

SHA1
689781114b8f5682d0815de5b40e0da397e9ac82

SHA256
4ccbbddbbf9a6e9cfca60042b5b94cfce90e581c123e28d3865187b1ce85a168

SHA512
dddff591c8be906ca1a7b00dbf7c0be987ebffff1841bda724edeeaf5f36f66fd27d2f022372955daf010ae4618439b37044e98c06466b20ccd8679d2354ba85

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAMw.exe

Filesize
440KB

MD5
8a49f7ba60c419a0954086a4c60daff0

SHA1
62db24cbb4a629a847518d0c2624b0a77c1faf75

SHA256
9aee03bf5ff3e348626e641cc6e42dc3948278218e276339a99266b640084ea3

SHA512
e37cfee92b99199a78e61780885c24a80db5244b9f2b6df393f9fe5d4c842eb95871189e4d41343308a31aa8da8611098a8e4bed95948eba8fb77ef0fbaf3ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIUq.exe

Filesize
1021KB

MD5
eeab0fabc3a16ac7756e6069589646b0

SHA1
3dd6b44cb17b77a8c17872983b6ab1e660913451

SHA256
8da0e5ec31ed3bfbdbb58a86960eefea6541797e0d81740237f164083e8b3561

SHA512
d7aff08f677f71401c1cd458cfbc18b4bdfcf389486a6905aa18fbd8a7e64be6764992152dea91e97a445664aa6856742fc00aea070c17129dcb52b4e2d294ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScQk.exe

Filesize
109KB

MD5
a66727c385bc2b8b0149ffd9737c4001

SHA1
bb732dbbc04040f667a1d55726223bd1c4d721db

SHA256
586ec307903602f11da7eea178491c71aadad9c63f7fd5eb5664f648d87f14da

SHA512
6f570c2ab26b5e3fb0132e3b9d2c2f0502ec0204d75f9d2ca9b829b2ef6fbb690f8934ecc4716f154bc6daac1fcacc888a03536f8b548f3353ef28216fdba7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgIY.exe

Filesize
887KB

MD5
2e7a94cdf0b8379f74ec76ca0622da9f

SHA1
caa0277bc643cabab2aaa3452388fda04ef8ab47

SHA256
958d1f3ed217ad50a01322535b001d45b0732fd916f336939d51ad04049fb7f6

SHA512
1ca5e338697a1603ab2d020f7cfa6124c60d521d23358fd046e77f7dc0972ec4cac3d64bf70a8dab5f5132c75b2e62f5a7f048f2b00c994790d5c548150dde61

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUgS.exe

Filesize
1.0MB

MD5
5b77d9f43341baed7cfbbe8c9868825b

SHA1
118732bd8c1ef2f0776045f2fc81f37d706d3245

SHA256
2d88f7fe4f0d3abb36763daef591aae43b4b68af52e7d636a97b397c71109a3c

SHA512
4017ba641bfca434aa738a4b7f310c5bc2e537459a6405260176ffae1e9d2126c5a2694f659862c00c5adee7dd5334b73d893109157b7abf9b9a22329cd34070

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwEa.exe

Filesize
439KB

MD5
70db7691961e636899ac97bf19f53772

SHA1
37c10535e1dc7c4d4d48d565d6c7ce5fb3cced65

SHA256
030002bc78ba638a3d1753b5a726fd9ea8955d2fa49b3d55d5e95f7d2f5172a8

SHA512
0733badeb5ab7b52e34ecb811f6e3e82d4db841a6fd944d043b705b6d8e50fd196aa1201555553c411e725b19306744373825c8337d9c7e53957c21eef0bce71

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIEQ.exe

Filesize
437KB

MD5
b20dd40e1a4736316b3377a59f749b52

SHA1
3be8dfe4073a474468bb2b2ccc957007ade79e46

SHA256
33da717f1275e4c6495ec82dc2fbdc870cdf028d6e9026a7f7dad1b6eb360dd4

SHA512
5dd1b7b8ad15db2bf4e27776184b9de659d6a86b56426d84b067819bd09dd193af622259f2bfa77a52c52ebdf407fae6b83e373a6e6b9964ab17da888dfda986

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIwO.exe

Filesize
440KB

MD5
9df97a8aecb8dc3acf722428c1cc370a

SHA1
cacd06277bcee69522500a3d73ce66218d206f15

SHA256
cab3dfb8f5ce90976b618f24fd606c8377e2862049a45c8a598bb5526c09f3f0

SHA512
7062983e4bfb4d6f8c2aae0cd9e2e7698e04a9f3d902124dadeb9febd9abe80820c327ff2c6357982ea2cdcfd4f5024545c631063f66216702277147e0370008

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEq.exe

Filesize
888KB

MD5
d749700a96d62b83166584612b66ee20

SHA1
ad2748349508a8c99f4989a00710e8433dcd58a6

SHA256
be93e69481ac5c5584f7a25688047e4a1bf8547bfcdd732dbccbe72db171515e

SHA512
3d625fe2f936584a6b871b88e52b04e57d118610072367662d56f40a20748a1f7dd26bfda2795832024ae7a56f1f562c0be4d387ca5bebca979d3428d9bae9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YmQY.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYEO.exe

Filesize
440KB

MD5
91de6b0399ec78d56a689ebebc1ca569

SHA1
059034b6a667aacccd2e8e8e534a84cf734fcce6

SHA256
a59c668cb7221ea6bf3480aff8889c66a0f5ea0fee1b6183f8f05465e344ef41

SHA512
4e4f170a8c3120242c73c217896ff5aec39d4e7961886ceac7321370ee1968c648296d000c8aa70dd7c21cdef3d1010754d507aeb0c22db376dbd711b61f0346

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYYg.exe

Filesize
502KB

MD5
fd7aabc45d9b93d261a77dc31f5d595c

SHA1
1c5a1cf364c265a7513326f23ed1699ee2d01776

SHA256
d34e18ab5c740c4bd03c9da9e594ad0d7df39024e2da5ce751b80a95814eec3c

SHA512
07ccf5f90358c4c3e71cc57674eee926974b5bc761a8619d480bd8d51ec573a0ffbcb12f8dc5da38b436158734f55642db0f8dad5224fb074c98b10020e0694d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEwc.exe

Filesize
1.0MB

MD5
fb511c4eaff78a4eb65a17d4e53ed897

SHA1
7a1b6da7d530954449dec9a410b730e7716d70c0

SHA256
437b8eb9c8b3d8cee1c4d7bc431d2e878a904136af73d35af89963ba67b6139b

SHA512
9aa41e71576bd82966df3535029fbac342c0f506b2f7e85e073988aa275bb500510f5696462c09bf0d9a249511dfb270fd60d6db553fd0b8b9f44c5b40ea9c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSUw.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\boAM.exe

Filesize
434KB

MD5
ac8c94a55760bddd4d66d07e22e50e81

SHA1
ca756aa4891508e7c3aa5193b8cd7e313b2dd59f

SHA256
12e5391e911b99806aa1bdbbb8105eea90a75d3fe4bffedeb289d4d727b73ce9

SHA512
081d69e0d8c60cb500a419bd6b395d10952680035e42edfbb2913721e74854ed7fc4ccd09b8eeba5df2960b1944bf003a3e3b574e9ac2f14829e3bf0ee2c6476

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAIA.exe

Filesize
434KB

MD5
472d6f6bc0195c6d7db0efa97fe6a29c

SHA1
6918895c7ab440d6527e6daed4d34e30d89fe2f1

SHA256
fa4ca060ec43d571e5ee715a808be3867d1be183af343497e1202cf1375a1003

SHA512
9ab31edb7f0db1088300c6267c254f01091366f1d21abaaeaecc529523d484f126535442426218b2802b5dc4c28f1ba8554379994670649075a87a073d5ae75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc0aba20f7299856b64bb471442d784b

Filesize
48KB

MD5
343fa15c150a516b20cc9f787cfd530e

SHA1
369e8ac39d762e531d961c58b8c5dc84d19ba989

SHA256
d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524

SHA512
7726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\doAC.exe

Filesize
64KB

MD5
6c9dd0f84dbd82ce1894f691f2cf3393

SHA1
63338b07ff9607cde9013f5136a8c9c3637021f6

SHA256
81677fd512312a81c4b13a1e0f7ed680ffd8053cf0bc7dfaa5a2b4c2cd4c3bbe

SHA512
21a9150572b7a500a479512bfca97adb2b99ce9b994d30b85874d7441c78b66dd236e74c406f640d743e2beda871523044a37b028593a2d120d9c00641fe55ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsYe.exe

Filesize
846KB

MD5
df6b974a802c386059255f2e72ce1291

SHA1
6507018b91c30c723b0bfd621dfecd9d12f3de65

SHA256
15333ee38c81cf6b23fd100f3bec00e0394ea397951921e6df36e32676393310

SHA512
65a41e31b4d1ee4cc33e7fa9bbd8179cf59310226ed8c1c1f1dfe65b046db430e9a007dc2619aa5e85aaaeaa6436969f21952459a9bb2276a0d3d5a5cd601a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYEe.exe

Filesize
716KB

MD5
7bf3b2c379196f179008a31291dac811

SHA1
a51cdafb8a73e2efc5c200c0be93e782b5384953

SHA256
5a4531aa5b289892f0d3c30b35121461b3089f44da95e28198ac9f56cc8d50cd

SHA512
62b3220126bcb5cbebb2f59689cf1ce215ab065e0a21892e217fc3a07ad5bcc832e0e6382ad54264f6b010c9d852aa467136896ab87bbdc0e42baffdf50cbf23

Download Submit
C:\Users\Admin\AppData\Local\Temp\egAc.exe

Filesize
463KB

MD5
b407b2795888e8a13ab8af0c5473bcd9

SHA1
fa1f492ae6e34d43c8a8af46e83b8c83f910d8b0

SHA256
a3bcf1c65c35286a655b2c21b3d6b30524ce55f00f78aa9dc1ef7e2ff0abd6a4

SHA512
85034fd48d7de0f61aa3372e03050ca9d6d92c098896d154a33cb835c1b879786a89944130aaaad2e5143fc73502fc4c788988c969ab219e3f672baf9126ec96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcUY.exe

Filesize
887KB

MD5
e6e7e32200e417e192ebf1b6ab5a8a71

SHA1
2608ad76e8e7e10c627a8bb2638bbab88132f160

SHA256
8656dded22660d0fda5b17475179b9f1f7fc1e6fd038b91e004fff7895cc040e

SHA512
e65394ae0c9ea3ce546e73b489530c9e84f0c854a1bcaa8bc4109ccf426e5774943cb4bcb4199874bd97fe5056c63430e1192f8dee24e5aa873e159304c2291a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsMk.exe

Filesize
372KB

MD5
48a5489ddce2e573a84281520531dca5

SHA1
037f28193c65239b9475c7229f17737c6e42865c

SHA256
47929f09ff38f500d441d3ac6f108e85464b7ae6f6e5a423562beb7cc9068acb

SHA512
dc12f0551b2eb3ab08fe264c7a6a298e6c8a7746c19aba6a4ba34175e50bca8e1ce3c27debff4c6481e208b53d48a8a3329102a2e861aa530ee03d7aa5350fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwAg.exe

Filesize
128KB

MD5
35f1a286b9fe3e2c0d6839258329e945

SHA1
4cd0a4ebb57e6c172588a8fa48923ac1019334c6

SHA256
c2fa4c99bf4f93b7ca9bf31af233ed752c1dc08696b1c2dada9d3e684f7f3890

SHA512
18666e40020c33f84944ac65ff27ee947910859252aac3609f334a6a640b2b1c7d90b3f55b0540f1069d5dbca3849215ad9b7a08b465e2f91ad46e6ceef0bdc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYEQ.exe

Filesize
455KB

MD5
ae5dfd1e66e07ce1b4f678c1420c5f70

SHA1
c4cf6357be8df3ff7bd340325425781766d35816

SHA256
17d9637f1010d5571fc2caf9619ccda2c3d896f8ba5d280c55d0f439864171c9

SHA512
dfe3fb52761574009b06ac248996ab7c1ca0a0eb99597bb039e1aeace923c37206179ee9be8735e824f36dfdd789478360e74ce0c58d793b057059e5888fa8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgYs.exe

Filesize
442KB

MD5
5e7665c3326b22234044330dbe1f9fcc

SHA1
eb329590b75d45be8e7c875e7075f111c320bea5

SHA256
fcb3da06beb44bf28dd8d16af752d6e167dff488c38c40f98a94bfdf16bddb78

SHA512
3631499d267089487aea669c8053afeca056edcc723ba3fdf745fba77383b3d18af425ca109df3e1caa5a8ba59af38e948472595358b117b0a82e72833cc64af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hggi.exe

Filesize
450KB

MD5
78a3faae6648c6b40c44947c6f0f29b5

SHA1
7f7e51b368eb97df21241f41f805cae03ebba698

SHA256
4577a8c562be4f715ea6fa7cc43362d6c9470a615164514d1ca1dbefb0f45016

SHA512
d02958205002172df8b02f7a05eddd0429dab159a1226c8534c13c6cb73acc5a63bc4e8a4e19d59c8b5b2bece1b0485f99d4c9d46c404aca9838bac1484c1e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgsi.exe

Filesize
41KB

MD5
acee644306a921f6834c3d4c1e998ccf

SHA1
9a65b5255eb3cd27c1bcc8f24d3d18f6b4d7e435

SHA256
9747684863d977d8491be4b49dd28b927ac49e72e87b5adfcad1fa4dbcfbcad4

SHA512
edbe73ba8470f7a767209ee5a0940b14ab4eda3acf89a555c6f7acf136b0d2e036bab7dc13928a64c141651d74cedc5c9e5cd6717f1ea6f1d98b8c404e02fda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwYO.exe

Filesize
436KB

MD5
bd649714fc400236f26c0ce22d321f77

SHA1
15764d4bfa8d80021d8d918ad2737faee1f721dd

SHA256
92d484a6e7a3c6f3a582a1c5a722655974a8f3d6397dd336c9d558b08cccd25f

SHA512
bacaf5c3b9b5ca6d53b300d804a2f670f230ff7915cce89ea5cb66ca6559d831e068cbec31e84fac2993704a14ef65cac9f87823b8de555ed2c9a4c3331be28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\icoE.exe

Filesize
441KB

MD5
2bb42a8e5b556e0bde9a132b6f7a2f56

SHA1
8231536ce64a7adb98ff4317e7ccbb2210db608b

SHA256
2c07524f36e8e926ca5f309fa230808dc89afb83d0eb5481bd397e074ccf7492

SHA512
458ce597466437031bbed9bad5a5bb025f9ca241c4c4a0f6b240e6f673a27493ed40f39c7e199b1352f5dbfc36c4f51c54e542c3fdb6de6e8732d50bc6c5e2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikUm.exe

Filesize
442KB

MD5
d472f138732ecf865f34cc3402b8848c

SHA1
22894a3aa7258249ed9203e2b03b436cae08bb10

SHA256
823ff1c02c4de2424c95c7881742a8f0fa4cf6e54892ae5de82965f5c222b7dc

SHA512
35fa5b9147cb1da7d318da45057e82ea36eda2bf6a46a6382bc01049a7e84498049966f669d9c6cdd44df84b4335b0531d77b5ec73aedef4932edab821ed11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEAK.exe

Filesize
636KB

MD5
cf1f26c189cae228e86521dcf8a0ffbd

SHA1
da4db9e07a492ce335cd60896fe6bde1fafe0872

SHA256
1d09fa69809443c763d26aaa6864e99623aa4826da039be9781f1d3a78c7e9ae

SHA512
c120b68565107f660ff2e8f57bcae36c808930ac5253777fd0637b31d1ad1fa2da0f167474d25b805acc0067bc541cc54c44f127b5f99ee09cfb3c795be13042

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEIu.exe

Filesize
879KB

MD5
21ca1a5657fd57d4bb19f80c98126a8c

SHA1
cdef65303c647decf91d51552a78994cfa9db320

SHA256
0c99b833f32de2b99fa033405600b51cbfc384ed50cf1730c822130e75b4fcd5

SHA512
0bda39eca4c5bc98832a10045eeb785b0666b7198bfe77a57e6a487ce550271cbc80a81731df8796853a6cd5480de4612cd3c289d6e20edde20a97e13160dba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\joMi.exe

Filesize
561KB

MD5
75ce293496e20f06f74427ae7e90ac45

SHA1
c80d830388001681cfc7cc5133d5e886d09bdae3

SHA256
5273e2ac19d93cea2f7903d309df3c013bcfd082331aad7e693fee034902ad4a

SHA512
85ef93741d88e68d137b7e2aab590e3fe0ad91334fff6bdd88ddba5fc5422e63877d3fe1448e499c8ae59a879f2df55aa7445dae1ad78c8460fc264e7429c241

Download Submit
C:\Users\Admin\AppData\Local\Temp\koQI.exe

Filesize
443KB

MD5
e26810bdf9c442e4368e8a2211583394

SHA1
eb8facf4ba1b57e167884d9563a19d4749e37aba

SHA256
61192fd4ca5e70541434ad4d1c020fad2dddccdf43a82af2f2b9edc95a08abf4

SHA512
7dfccf9562f76efb8df188d844f8847247c8d8a5ebcc9a59e10e2c362e7263829ca00cb14403578beb2c4e448fd6c3e19ec1992a969e02eca5e763d2092f7c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAEs.exe

Filesize
435KB

MD5
a08271996d3c9c4e03d0529c5d4230f8

SHA1
c6d8e5a51712abd32eed6601645f982ab97cbfd2

SHA256
679fdd1f889deed811cc8eecf47128d134ae2c2f360a5124bb6fac630abd7731

SHA512
3bbb67d7d3ae5abf2fcd3926ce84d62f45913947675f4aa263ee34b17642350c8c51be5af3390687e2c31fe15ae7fdfa375e175382fd800c0be77dd17c6d5aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAgK.exe

Filesize
1.0MB

MD5
c32d06a3d62497b6d483d2856dc77c4a

SHA1
343a61adda8d9cb21854824384f1dddcd1a9b300

SHA256
b99ca33ca99d4b825b73df8bd09fefcc4a1161886970ec27bb8b33f914904472

SHA512
a3056fccd2275d60c9b729550b2964996f1176c7f4c2dbab6419642ad6b6f394c582ef5d18855e04d27d8fbed5704dee6ed5e689787fc1ba42d0d75310d06921

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAsw.exe

Filesize
469KB

MD5
905924cce9653554a73b74b48ce2b91e

SHA1
6bcb5d2d5d34f28ac3f6323b98d8ba8b9733cebc

SHA256
7181c00e0b84b5ff6b8a355d36d031571fdb668fc77d05ff5287da11ffd0b75f

SHA512
24c0f9c17033e8b106cdda38bfc31e7cc81eb49310de4da08f99f0e23261efd6ed80d920c72d9ef0bc03bfdae2a2e1ef94e345a1c0fe5d2dfca759778e114ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkEy.exe

Filesize
478KB

MD5
919a74c2872d88f2d2245bfa2f74df43

SHA1
951fba4339af009e0bd5131470922a0609de88d0

SHA256
ca8bed5124f217d9e658d544e8a94f9b1822626e6b7968b0900c4c7b69c42769

SHA512
92e08ee66f2306679cb2c437fd497c8692cda1c50b95a51e9bab4f1c8c33579effeea4592307ab5f917af561a4f7bc0d5ad15e172deb296321e521bdbc5ee8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQcQ.exe

Filesize
442KB

MD5
3c8469a28c57ff21c51d0e2dc1b152b5

SHA1
62ff458acbb91f9d552c55fc301b96a3848066b3

SHA256
6ac883cc425c44ff7965da3e1a9912638997ebfac307b2455e79941557f2e32a

SHA512
44b310aa4a46f6af1eb007d88534501d752ab1f2ae409a7991b4cdf88e722366c2b0a44b0c219a52c2527aa6279bceb03d198caa64d465f93ec733dcc8bbb2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQsU.exe

Filesize
458KB

MD5
9d81847e446a8f7b6bca743fb46c685f

SHA1
0c165f0fcb965922bdea2e2ee7f8077f806444d7

SHA256
a28e323ef9ec1510617ceffca46029a295d1b3f41aaf6309b034c3ffad3f2185

SHA512
e1a1edb17c017d5b71bbb14552667e7bd8b3faa6bfd5a09b9b45b1e2d3de0a2895153b01310cec2d5eed2c1155b85f0e2c0c4a100923be9dcb06d4f2a423313d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMsG.exe

Filesize
1022KB

MD5
2992a121e5775b0bcd99dde10e3ca766

SHA1
e9104dc140a21c875e738358c5f8e62a2b34cf2c

SHA256
f24033de6b76aaa04dfdc8d32624bfb9c77a0dcf5c3a24ce881c6df2d16f9545

SHA512
06bf166b5cdbc492dd38110a92d8723b9369e157f77ee7db90f6b7522d8761c05fae5ab4bb65e6534ddd0bac0f5c33a38162491667d02f8a66b8f3a81a7ee329

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYIo.exe

Filesize
443KB

MD5
698b17ef026aa0c22d83dc7f77a15110

SHA1
9a3ead6173b961df0a79e74bf4e004e5837a912f

SHA256
ba38c72e64fa107dc1084775dcad9ef30df1de44e52cfb33ddf0832716fab5e3

SHA512
b32ebe615d9d59f9b91d1fa8a5c435be285d1acfd20a84ecc74e268a5f2d944e43f998a37ab839ce53f96e6aa32272f79ee46fca0c9fbf1ed5fdfd6286d6a872

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIEO.exe

Filesize
438KB

MD5
29149c3f894baa882aaf95121e82d765

SHA1
4249e1ec568b25c47352cc4e2bdbf62844ce59f7

SHA256
5565574f0865402f5d8bfbae6ad44a75570af5bfee3a9d21c32f4d889cb52188

SHA512
4e5b59472f014fde741a3c094c1e9de85b44bf4cc87df63bd67edec719dceab7c201d144d7382042746c92365c41980764b57d3902c1b79f8c89ed834c26ffa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYAy.exe

Filesize
435KB

MD5
5314dadce91fde5a7cb70231284e82ed

SHA1
249c3593468613782738953c1b5380e8c3f82369

SHA256
99543a8371645f7f58c843641c9bdfe5a5de4b0bcc6c80b9882b4c31855f8cc3

SHA512
6eb6df425158c023e568f992c64e4581e15aafb5a0e284c10b8026b32a9d24ab7918c447981be8ee854713e525d3ff650f7858ae3993ef09a620fac49f5944da

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAke.exe

Filesize
443KB

MD5
b6c91f995f95f0c413838e2061018e77

SHA1
0d766e1a66e0290142d22f76fc05f3fe73cd2e42

SHA256
533c7448284bb27b726e9080b13e7f2858e1be5fefeec7d39433f6c9cab04ea4

SHA512
4b43a94113daf5b33a12362dbbe9bde95f927bb93dc9fb281eb0347838600137a717fb96b8f8279eac8156b0b02524da78661d02cd5b1b23eb6020b723d16c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\vWkg.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYEQ.exe

Filesize
798KB

MD5
42f0a3ecd20e5508871a9f4bdff33947

SHA1
9f3aec9f51c7d208e2cb76886b7b30063f6428d9

SHA256
548d6a7e146703e04ea7d311f76df0ac7f6b49fa9ce25e90583d1967622da259

SHA512
e97c1cda56ba92361a5208ed90f863145c97dc9fcda9abfa39d17f252bbea172dd9f6fd80e3ae39a3843e4b59dc5a33d29d876d88551e31f01085272c680ffdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMkQ.exe

Filesize
211KB

MD5
5da259a9e59bedee1aade204359308df

SHA1
3f955d56ee5fd1b09e14ae443136d0cdfa1e459e

SHA256
608e7fed482ed1c3da309fb164871aecd2176e39d2bb5c940a9683e78eaa3a9c

SHA512
b9ab21426ef43aa0b00c41c0b2538a19b82afbf33adc6de9c722339aca0375a437b0014e032acdadf0d9517ba1a07cb81c086a6df2bc5b5fd29e22c1bc1e64f6

Download Submit
C:\Users\Admin\AppData\Roaming\StartSet.png.exe

Filesize
782KB

MD5
0bee49f1c734b206dcede6fa69b52c83

SHA1
62c1cd627fe55c385ee85bb8528be4f035701db7

SHA256
3c26f5dad2e422e0dad730944a29d7339cb137eeaf46372a5193ca2eeff5e21c

SHA512
28e270d23880fff010998189a4f4f5ee7acdef324151c80aa0ab1474a2a66332317c872a1535b5382b101b38c6dcf742698898c6b422231f8232bcab19fe363c

Download Submit
C:\Users\Admin\xWgwcQgQ\HcAYIgsM.exe

Filesize
430KB

MD5
e60070556f2097bfafbbcea2864a15ae

SHA1
bcd72123515db6f553e48db166d71ec695fc4dad

SHA256
1cdb0f81e5010fbc6c4e0cd8cdd4675df92ffc693be1550d652a1765360682b9

SHA512
95bf6047379657b9adf4fa2889eba76172d5cbb42d2631952d9ea327a2367fc1337f16f86b3b026f954f5df8a8b03cf650f1996be39a50ad423f4a0b88c43e54

Download Submit
memory/440-956-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/440-893-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/644-194-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/644-202-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/744-274-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/744-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/776-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/776-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-436-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-372-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1016-548-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1016-607-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1216-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1216-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1308-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1308-112-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1496-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1496-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1812-770-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1812-877-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2184-203-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2184-219-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2480-1040-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2480-957-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2492-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2492-104-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2688-424-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2688-533-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2720-785-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2720-693-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-232-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-220-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2976-154-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2976-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3148-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3148-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3148-211-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3428-51-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3428-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3552-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3552-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3788-113-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3788-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3872-1184-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3872-1093-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3992-130-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3992-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4436-129-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4436-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4476-163-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4476-178-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-262-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-283-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4604-187-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4604-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4652-1228-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4884-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4884-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5016-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5016-155-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download