8e2fdc7ce094589f6c32d9dc108fb8deca7b6bffabcf415cfa034365d864029e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d496103c4a9e8b738f8d73a30829c7a8.exe
Size

480KB
MD5

d496103c4a9e8b738f8d73a30829c7a8
SHA1

21e3d6419c50b42e94c7e80e9b8989cbf2492f74
SHA256

8e2fdc7ce094589f6c32d9dc108fb8deca7b6bffabcf415cfa034365d864029e
SHA512

35e135e01122e2c849fa6dc5529cab0954d9a689c07d7908e414459ee248a92808761ccccefd994ecde8e5f9a537b812985f976c07f777ba42123ad9397f0e14
SSDEEP

12288:gVAzXeh+/D6ZZP6v5ilkvT282xeRHzBrtAP6:gVieI/aZiv5NviNeRTMP6

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	cCQQkwkY.exe

Executes dropped EXE 3 IoCs

pid	Process
4780	cCQQkwkY.exe
1952	wqoUokYg.exe
3800	IcIwkcgA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cCQQkwkY.exe = "C:\\Users\\Admin\\jYcAggwQ\\cCQQkwkY.exe"	d496103c4a9e8b738f8d73a30829c7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wqoUokYg.exe = "C:\\ProgramData\\DsIgIQgI\\wqoUokYg.exe"	d496103c4a9e8b738f8d73a30829c7a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cCQQkwkY.exe = "C:\\Users\\Admin\\jYcAggwQ\\cCQQkwkY.exe"	cCQQkwkY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wqoUokYg.exe = "C:\\ProgramData\\DsIgIQgI\\wqoUokYg.exe"	wqoUokYg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wqoUokYg.exe = "C:\\ProgramData\\DsIgIQgI\\wqoUokYg.exe"	IcIwkcgA.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheRenameSkip.gif	cCQQkwkY.exe
File opened for modification	C:\Windows\SysWOW64\sheStepUndo.jpeg	cCQQkwkY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jYcAggwQ	IcIwkcgA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jYcAggwQ\cCQQkwkY	IcIwkcgA.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	cCQQkwkY.exe
File opened for modification	C:\Windows\SysWOW64\sheConvertToRevoke.docx	cCQQkwkY.exe
File opened for modification	C:\Windows\SysWOW64\sheNewReset.zip	cCQQkwkY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1976	reg.exe
3944	reg.exe
332	reg.exe
2320	reg.exe
3304	reg.exe
3988	reg.exe
3716	reg.exe
1456	reg.exe
2484	reg.exe
3368	reg.exe
4880	reg.exe
3648	reg.exe
2140	reg.exe
2104	reg.exe
1852	reg.exe
3240	reg.exe
2024	reg.exe
1052	reg.exe
1280	reg.exe
4300	reg.exe
4136	reg.exe
1084	reg.exe
5056	reg.exe
2240	reg.exe
2148	reg.exe
4280	reg.exe
1580	reg.exe
4948	reg.exe
8	reg.exe
2040	reg.exe
1332	reg.exe
3544	reg.exe
4332	reg.exe
1292	reg.exe
2100	reg.exe
3308	reg.exe
4572	reg.exe
2540	reg.exe
1092	reg.exe
3840	reg.exe
3668	reg.exe
2672	reg.exe
4952	reg.exe
988	reg.exe
5032	reg.exe
1176	reg.exe
2188	reg.exe
552	reg.exe
3424	reg.exe
4476	reg.exe
2172	reg.exe
4244	reg.exe
2276	reg.exe
3536	reg.exe
4560	reg.exe
1292	reg.exe
1900	reg.exe
4580	reg.exe
4488	reg.exe
4952	reg.exe
2540	reg.exe
2148	reg.exe
4324	reg.exe
572	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	d496103c4a9e8b738f8d73a30829c7a8.exe
2112	d496103c4a9e8b738f8d73a30829c7a8.exe
2112	d496103c4a9e8b738f8d73a30829c7a8.exe
2112	d496103c4a9e8b738f8d73a30829c7a8.exe
3556	d496103c4a9e8b738f8d73a30829c7a8.exe
3556	d496103c4a9e8b738f8d73a30829c7a8.exe
3556	d496103c4a9e8b738f8d73a30829c7a8.exe
3556	d496103c4a9e8b738f8d73a30829c7a8.exe
3600	d496103c4a9e8b738f8d73a30829c7a8.exe
3600	d496103c4a9e8b738f8d73a30829c7a8.exe
3600	d496103c4a9e8b738f8d73a30829c7a8.exe
3600	d496103c4a9e8b738f8d73a30829c7a8.exe
2408	d496103c4a9e8b738f8d73a30829c7a8.exe
2408	d496103c4a9e8b738f8d73a30829c7a8.exe
2408	d496103c4a9e8b738f8d73a30829c7a8.exe
2408	d496103c4a9e8b738f8d73a30829c7a8.exe
2164	d496103c4a9e8b738f8d73a30829c7a8.exe
2164	d496103c4a9e8b738f8d73a30829c7a8.exe
2164	d496103c4a9e8b738f8d73a30829c7a8.exe
2164	d496103c4a9e8b738f8d73a30829c7a8.exe
3416	d496103c4a9e8b738f8d73a30829c7a8.exe
3416	d496103c4a9e8b738f8d73a30829c7a8.exe
3416	d496103c4a9e8b738f8d73a30829c7a8.exe
3416	d496103c4a9e8b738f8d73a30829c7a8.exe
572	d496103c4a9e8b738f8d73a30829c7a8.exe
572	d496103c4a9e8b738f8d73a30829c7a8.exe
572	d496103c4a9e8b738f8d73a30829c7a8.exe
572	d496103c4a9e8b738f8d73a30829c7a8.exe
4156	d496103c4a9e8b738f8d73a30829c7a8.exe
4156	d496103c4a9e8b738f8d73a30829c7a8.exe
4156	d496103c4a9e8b738f8d73a30829c7a8.exe
4156	d496103c4a9e8b738f8d73a30829c7a8.exe
4848	d496103c4a9e8b738f8d73a30829c7a8.exe
4848	d496103c4a9e8b738f8d73a30829c7a8.exe
4848	d496103c4a9e8b738f8d73a30829c7a8.exe
4848	d496103c4a9e8b738f8d73a30829c7a8.exe
5044	d496103c4a9e8b738f8d73a30829c7a8.exe
5044	d496103c4a9e8b738f8d73a30829c7a8.exe
5044	d496103c4a9e8b738f8d73a30829c7a8.exe
5044	d496103c4a9e8b738f8d73a30829c7a8.exe
2172	d496103c4a9e8b738f8d73a30829c7a8.exe
2172	d496103c4a9e8b738f8d73a30829c7a8.exe
2172	d496103c4a9e8b738f8d73a30829c7a8.exe
2172	d496103c4a9e8b738f8d73a30829c7a8.exe
3504	d496103c4a9e8b738f8d73a30829c7a8.exe
3504	d496103c4a9e8b738f8d73a30829c7a8.exe
3504	d496103c4a9e8b738f8d73a30829c7a8.exe
3504	d496103c4a9e8b738f8d73a30829c7a8.exe
2924	d496103c4a9e8b738f8d73a30829c7a8.exe
2924	d496103c4a9e8b738f8d73a30829c7a8.exe
2924	d496103c4a9e8b738f8d73a30829c7a8.exe
2924	d496103c4a9e8b738f8d73a30829c7a8.exe
4488	d496103c4a9e8b738f8d73a30829c7a8.exe
4488	d496103c4a9e8b738f8d73a30829c7a8.exe
4488	d496103c4a9e8b738f8d73a30829c7a8.exe
4488	d496103c4a9e8b738f8d73a30829c7a8.exe
4616	d496103c4a9e8b738f8d73a30829c7a8.exe
4616	d496103c4a9e8b738f8d73a30829c7a8.exe
4616	d496103c4a9e8b738f8d73a30829c7a8.exe
4616	d496103c4a9e8b738f8d73a30829c7a8.exe
4244	d496103c4a9e8b738f8d73a30829c7a8.exe
4244	d496103c4a9e8b738f8d73a30829c7a8.exe
4244	d496103c4a9e8b738f8d73a30829c7a8.exe
4244	d496103c4a9e8b738f8d73a30829c7a8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4780	cCQQkwkY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe
4780	cCQQkwkY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4780	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	88
PID 2112 wrote to memory of 4780	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	88
PID 2112 wrote to memory of 4780	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	88
PID 2112 wrote to memory of 1952	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	89
PID 2112 wrote to memory of 1952	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	89
PID 2112 wrote to memory of 1952	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	89
PID 2112 wrote to memory of 4548	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	93
PID 2112 wrote to memory of 4548	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	93
PID 2112 wrote to memory of 4548	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	93
PID 4548 wrote to memory of 3556	4548	cmd.exe	95
PID 4548 wrote to memory of 3556	4548	cmd.exe	95
PID 4548 wrote to memory of 3556	4548	cmd.exe	95
PID 2112 wrote to memory of 3240	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	96
PID 2112 wrote to memory of 3240	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	96
PID 2112 wrote to memory of 3240	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	96
PID 2112 wrote to memory of 2320	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	97
PID 2112 wrote to memory of 2320	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	97
PID 2112 wrote to memory of 2320	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	97
PID 2112 wrote to memory of 1396	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	98
PID 2112 wrote to memory of 1396	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	98
PID 2112 wrote to memory of 1396	2112	d496103c4a9e8b738f8d73a30829c7a8.exe	98
PID 3556 wrote to memory of 2076	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	102
PID 3556 wrote to memory of 2076	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	102
PID 3556 wrote to memory of 2076	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	102
PID 3556 wrote to memory of 4700	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	104
PID 3556 wrote to memory of 4700	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	104
PID 3556 wrote to memory of 4700	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	104
PID 3556 wrote to memory of 3136	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	105
PID 3556 wrote to memory of 3136	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	105
PID 3556 wrote to memory of 3136	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	105
PID 3556 wrote to memory of 1580	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	106
PID 3556 wrote to memory of 1580	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	106
PID 3556 wrote to memory of 1580	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	106
PID 3556 wrote to memory of 5044	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	107
PID 3556 wrote to memory of 5044	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	107
PID 3556 wrote to memory of 5044	3556	d496103c4a9e8b738f8d73a30829c7a8.exe	107
PID 2076 wrote to memory of 3600	2076	cmd.exe	112
PID 2076 wrote to memory of 3600	2076	cmd.exe	112
PID 2076 wrote to memory of 3600	2076	cmd.exe	112
PID 5044 wrote to memory of 1280	5044	cmd.exe	113
PID 5044 wrote to memory of 1280	5044	cmd.exe	113
PID 5044 wrote to memory of 1280	5044	cmd.exe	113
PID 3600 wrote to memory of 4952	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	114
PID 3600 wrote to memory of 4952	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	114
PID 3600 wrote to memory of 4952	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	114
PID 3600 wrote to memory of 4488	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	116
PID 3600 wrote to memory of 4488	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	116
PID 3600 wrote to memory of 4488	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	116
PID 3600 wrote to memory of 3580	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	117
PID 3600 wrote to memory of 3580	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	117
PID 3600 wrote to memory of 3580	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	117
PID 3600 wrote to memory of 4928	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	118
PID 3600 wrote to memory of 4928	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	118
PID 3600 wrote to memory of 4928	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	118
PID 3600 wrote to memory of 1096	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	119
PID 3600 wrote to memory of 1096	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	119
PID 3600 wrote to memory of 1096	3600	d496103c4a9e8b738f8d73a30829c7a8.exe	119
PID 4952 wrote to memory of 2408	4952	cmd.exe	124
PID 4952 wrote to memory of 2408	4952	cmd.exe	124
PID 4952 wrote to memory of 2408	4952	cmd.exe	124
PID 1096 wrote to memory of 712	1096	cmd.exe	125
PID 1096 wrote to memory of 712	1096	cmd.exe	125
PID 1096 wrote to memory of 712	1096	cmd.exe	125
PID 2408 wrote to memory of 1988	2408	d496103c4a9e8b738f8d73a30829c7a8.exe	126

C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
"C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\jYcAggwQ\cCQQkwkY.exe
  "C:\Users\Admin\jYcAggwQ\cCQQkwkY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4780
- C:\ProgramData\DsIgIQgI\wqoUokYg.exe
  "C:\ProgramData\DsIgIQgI\wqoUokYg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
    C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        8⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        10⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        12⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        14⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        16⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        18⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        20⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        22⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        24⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        26⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        28⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        30⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        32⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        33⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        34⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        35⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        36⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        37⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        38⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        39⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        40⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        41⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        42⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        43⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        44⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        45⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        46⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        47⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        48⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        49⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        50⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        51⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        52⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        53⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        54⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        55⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        56⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        57⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        58⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        59⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        60⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        61⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        62⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        63⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        64⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        65⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        66⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        67⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        68⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        69⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        70⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        71⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        72⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        73⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        74⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        75⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        76⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        77⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        78⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        79⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        80⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        81⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        82⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        83⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        84⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        85⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        86⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        87⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        88⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        89⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        90⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        91⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        92⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        93⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        94⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        95⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        96⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        97⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        98⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        99⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        100⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        101⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        102⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        103⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        104⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        105⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        106⤵
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        107⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        108⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        109⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        110⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        111⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        112⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        113⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        114⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        115⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        116⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        117⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        118⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        119⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        120⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        121⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        122⤵
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        123⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        124⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        125⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        126⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        127⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8"
        128⤵
        
        PID:1148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe
        
        C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8
        129⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWYQosgQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        128⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIIwoIIE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        126⤵
        
        PID:564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCIMAwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        124⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCckAwwI.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        122⤵
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYIcQksA.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        120⤵
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twowQYco.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        118⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKAQgkUM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        116⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmIwssQA.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        114⤵
        
        PID:2104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWIQEkIU.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        112⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkQIgsgU.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        110⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAgcYQcE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        108⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMgoggck.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        106⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgsgsckQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        104⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AckkowkQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        102⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIcUMAUk.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        100⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuIoAQgw.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        98⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imkUckAE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        96⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAAkkMcg.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        94⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUIEAQIY.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        92⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:2140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUQskcwM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        90⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeQsskkM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        88⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiIAkkck.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        86⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WogYYgYg.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        84⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkUYIkQw.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        82⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOcsUAgE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        80⤵
        
        PID:2068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCMYgswo.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        78⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PogwwcQM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        76⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hawUQcUE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        74⤵
        
        PID:2712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQUcUoME.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        72⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWoMAYQE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        70⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMAwQYUM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        68⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoMYAsUY.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        66⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuUwkQQc.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        64⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riwAEsos.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        62⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heogUUIw.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        60⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAUowssM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        58⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igIMoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        56⤵
        
        PID:1620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bowQIwUc.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        54⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\newIAIsM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        52⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diIcwEgY.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        50⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCMkMwcs.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        48⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEUAwIEI.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        46⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwQcIMsI.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        44⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgIgcIIM.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        42⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeEMAQEw.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        40⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOMwsUkY.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        38⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwsYwEcg.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        36⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imEgkUAE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        34⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwIMUYkA.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        32⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkwgIMUA.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        30⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcEcsoQw.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        28⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msocYQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        26⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYEgEwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        24⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGsIAkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        22⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CikYskYE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        20⤵
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waskIMUY.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        18⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKYgQIUY.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        16⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqYksEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        14⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqIMoUYE.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        12⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSMYcYAg.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        10⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QycoUgco.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        8⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5072
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4488
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3580
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmAAQoME.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKAAgcMc.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2320
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KckMEgkw.bat" "C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8.exe""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4552

C:\ProgramData\BCgcYAUE\IcIwkcgA.exe
C:\ProgramData\BCgcYAUE\IcIwkcgA.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3800

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3304

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv FV13380vlUeKmv2gwXoO1g.0.2
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4272

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BCgcYAUE\IcIwkcgA.exe

Filesize
432KB

MD5
10cff06ea15f06d678b61e4fe35f8fa6

SHA1
846ce324612016a6ae2c75437b9e5d0368e4f51e

SHA256
55355fc03f7025558d4230cd8b9278cde7c9e8aeba316d9894903a1c16e8d94c

SHA512
cd3060c672373385e62fb6324346a21d800416a17a8c7e8d8d106e23691c4a8a9517f6e2b75994c3fe09b3f8c89fc1af3ba09eb2e69abe63593d5ed0842f83b9

Download Submit
C:\ProgramData\DsIgIQgI\wqoUokYg.exe

Filesize
435KB

MD5
5226dca4bbf490bd66b9691d01b29dce

SHA1
6d728ee80835ecadc52c07f1b40972b0afd96d85

SHA256
4455bdd26cc03e35dea5a7ea14004be1f46acdb17a9a5f9068d093299f830ea6

SHA512
1d8c329b756b1caa165a02701c07627d391bc7e7c15955c156eb742a96b8e8f60435201ebb87037888f6399d6755c5cb586d12d7e5e81b27efe6b3b5d2b6450d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
438KB

MD5
15682653d6c9819a6192b0cf33df5f84

SHA1
aaa61af46f4e7d40ac14cb807e2113af70a036c9

SHA256
b4f69a4591c3f548511288a0f637141a39be7b8390a9aebdf8f85f3890d6f470

SHA512
0acb09a4c536bf932a86436120c6293e02b6d0980bc70fcfbe6b13f18721f3e974d38bbe8a869260da7a5617d5cb44c0ad8cb29228158ff887e3bfb9f8a71b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acse.exe

Filesize
460KB

MD5
bf5400341d2d67c38d02327634080c1a

SHA1
44910007ca35962e29d173c1893262fd7293575b

SHA256
ac00176978b519c7f96127aa9a2bbc5b5f81674f57655582ecdf4186b7e39a28

SHA512
afd96110b50d2bf3469c0b539a9dee088cb11629010d7b489a11dfbe0d553aac3d2a3e155efa4720d820cdd355c80fad64b81c550e923e610f84a15437b22248

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsAA.exe

Filesize
449KB

MD5
8562861d988f83a89521a8021813c311

SHA1
8ad51aa1799a9e9a84f2ef21aff9ac3015f03e9b

SHA256
c6910a38ac5081bd5bb906ab36bfd454df14739895321af4e1a4aa4f517f49dd

SHA512
de5aae28daa52ff434aa33f9f34200fa2eeda9cf8045d722c08e8bf2f4be5ea0a432f3edd29ac6c81d4eecac138c1536233f9d880cfbc0bdbcdc817365bac55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsMS.exe

Filesize
441KB

MD5
b930cde18060655e6fba77569302234e

SHA1
67e9490d490f1fa74de306d0be6f223f164bd638

SHA256
77469cf3730969ecd9e5354ddf6235db25942c41d18c1fcf846b68fec4888593

SHA512
7b6e053ce406124a9320b18be7cf397b7eb61d06cd830c0c6205ee9bf283c10fc3a828bf3bf3fb2acd8f758da3da27b2ea3f946f7ad49e96812001afd89098e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMkI.exe

Filesize
885KB

MD5
01c8ae9aa60cc219018a0d640099f1ae

SHA1
374aaab17abf26b2a92a567776c2992f4baf89ab

SHA256
d91e8b969d7b0c146be98fe4eb4c6a5e8f6a654f98328ea469955f65935befbc

SHA512
65613a3f5fa568c3ae0c4e4afc3e8074df3ba292424f9b1554bc34a93b503ad1ae93f39d57206071e3f1145e3406f46c31930fbb23dfaa322e9735da976df959

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgEa.exe

Filesize
1.0MB

MD5
7b47183e51038e7795ea60eaae1441b0

SHA1
186d7108bd853d8d3f48d6e9968dd8357f9b2c65

SHA256
4e8b89ff19bc0c20088b2fd900ef50ad99f1c85e073e111d61e1fee67715d3bc

SHA512
3dc711d731b1ef4d249465dfda0749e0728f79bf7a4a2747a6a3ed2aff445aa427729b4967e51e8d3e49767b393030929101bddc56129ea99d99980e7d923844

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAUi.exe

Filesize
1.1MB

MD5
0262fbffa78342bdb79ff49ada9f8a1e

SHA1
5d38a20b699b324b7b11c328fb200aa96ee40a9d

SHA256
7b4f06adc93b975d55f91c80092412999c4885669f65538502ff808a86ef0047

SHA512
240e11fa20835f2d53f899b1ae968028204ed39546ca3e4e2bd37fa99a85378952261c3f67e06cf571a011290fb0e0acf6da06d886dec262af20ba7653fce9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoIe.exe

Filesize
439KB

MD5
f6cb5b33f9affc02659b531a0abed9b5

SHA1
ed7c9b7f3091ddbc1b34349d18824d963810fb89

SHA256
3529c8d980f268b805e7479a508062ec3d2db7d5cccfcf0e92db62a1086ab38d

SHA512
ab88c97f06849e046838a1b958d46998e66389ab704acb20298c504cd394f42faea152a7dbe16695c122bb56f8b511280b64b9674a5531b2542a9c005334e35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CosW.exe

Filesize
437KB

MD5
16cfca41b23a14094a35ce5eb11da766

SHA1
c9ead951847a70ee6ff6138be8f149a7c339b3e5

SHA256
5987a5fa3f1704d39309077d005cecb54cbc6e05b57fc588855dd8452bb514a0

SHA512
51aa64ebcd06e11851c95cf756a1553379cc353dc6c252a8a5608b5d6e06deff23960bc3ebf27f7158973b61b3278e8de738fa371fbe8f8a163112583a47f1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMwG.exe

Filesize
441KB

MD5
2cc5da5c197be2b5b131a32eed9a0c5e

SHA1
f2e379e24d126f83b3edde0fc82417a8d3408874

SHA256
019eb4fb3899b4beeaced0310d2e9d1f44e59a2b8165bc6a4f56d27ee6ad60c0

SHA512
b8a2b32e28768e42813f794bbaff92c8c9d0324443ec3aca03171191684aa2c3a5a0a7da1806c697e6ebc0e26cf5ad726e07ac80e7dc51680a6fb3cbf2ed9f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoUI.exe

Filesize
440KB

MD5
62424201057c6356db2b86116be5648d

SHA1
74ec9e0b6257812c5ea56129b5f449b44f9df070

SHA256
98e07d5d05296f020d6c1aa6d9e95c6eb9b1c883556bc62bf3a6101222c04e94

SHA512
16f3ec6bea4aa879b70f8ca6dba530699efac9f9297f9b9646fd62841b9f7eb0caca500b94d431d8985607a12811b520abf7562ad2729ffbed2fb3d1aa3baf9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsQy.exe

Filesize
457KB

MD5
5766fbfec3b61d8fe5108d14e74ac188

SHA1
1ce6a561ce016e54cfb6db0ccb18495e03f73852

SHA256
18d47b00f754076e13558fd5f3add8b311e62d400641f5768365ac8efbb72433

SHA512
07e610224723665e72f71bbce2f8da7a7d66941e02729de6d35ea6354edb4fb57a3c9bf8506295a494f9aa3e8b181420b442e4b27dcbcbe5035f6a78f2a196d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icgk.exe

Filesize
434KB

MD5
58a9359a79f120eb70e5f002cd048c91

SHA1
07b44de9e03ee6d0eeef3cda779ec0ce366e69ac

SHA256
8085d9c1b92bd4be4d276e7187071a8d73f9f47e24b1a5ce8176594b5f5707a5

SHA512
1a4742f9a62a5e5f9d9f577df084ef1840345e1cebfa4d7870762909f6531bc814bce1e067237cfdec81dc5d94658ce589d348b5e88ec4c419bb6795a90757c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoAk.exe

Filesize
444KB

MD5
32063920116187352e3c512ec0cd4ae7

SHA1
c4663e1d939aa35756ca43f9ad646e4d475882dd

SHA256
2ea6dfe9e4d69d36da1f607614b39aa4bcbdf1051a36c767d8a96ce9125871e4

SHA512
ea4202eb51ee1803b007ea61a607e8d6542da65ed8a13ea0849bcfe6aafb006932c39457263fd90b82a391f942241de434e06f43716b3284639c53a599aefc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iosi.exe

Filesize
470KB

MD5
38ebf6aad095b64b6039f068773c43dd

SHA1
e18e16200f25f9be0e3d1f83c124c029159d8c1f

SHA256
809202dac752bd9c9347a35aff661700f01cd7cd7324bfde4b93d3d8eb0c8f1b

SHA512
90d919b85fa508cb14187f072c619fcb8c1c004516b17cc9c0b404b0d5bfe9e1618e556ed33f84ff4108d78331a8d46b24ce1c4a4b466e9917808cc98aa5fc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAIG.exe

Filesize
438KB

MD5
1ba2481c9534efe04478443c4f819237

SHA1
569bcafa650a0c695a617261059ac5eeab04a584

SHA256
f4534024f2176d03e7b21dd76baad4478a05ffb01fd91869dfbbb7c870b1f095

SHA512
dbe6b4cbe6220f1e9b4ceb4e04704a69af06d6d3b5e7fe4234cdd27fe703ff475f369582aeaaa92ad13e4a84f6b419dea1e27999dbf405b4f7b4ccfdcab0901b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAki.exe

Filesize
437KB

MD5
a0f419060542a7d8136fb1f1b2a71e19

SHA1
13abbb1ffaa818565c9276b6ff391a745db07046

SHA256
b45ab677f496536062576f9ae2205b749ee8badb73594c8620c0d89665c0aa4f

SHA512
ad73a22533feb748c2d7e827d1300472287187c8029cd2655427458ec86fcdd6035cf309b720cd2af029641386942248c49c6e010c7eddea09d0568543d71099

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIAI.exe

Filesize
4.0MB

MD5
0ac8bb363a1ddd4712110494c4eea9ca

SHA1
54d756d87d83f910c59176eecb977c63a186ef7d

SHA256
848479322360b00dbae8228b0d01fce8a393c92cf6151e65d0ea6fc654b957ff

SHA512
b20330a18fe465ddb5c71444ff43d1e4b90243b46014a49c7cc34b407f8c218834e800936c17bcc5eaac57e9dadc551cec2c050acca3511b0b13a19affcc5ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAgM.exe

Filesize
822KB

MD5
7f609d59bab08a3953e1749127cc4fa7

SHA1
e9cfd9a5e84c0fd2055b2c778279a939504c6413

SHA256
704709cd8debe5ce0c3917e6e1e3066872c5b25b9df93a59e5995bbec30f4f39

SHA512
a62c7b1ce41894bafc8d07a5a4d0a163f73c88a16c7593dac5216c8391ee5abbe4d95b2314eb2820d0e0443d93ffcff8909f214bd277b199c60bcea49792d1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEIw.exe

Filesize
438KB

MD5
77336d955f37f914daccf919863ecb83

SHA1
85e108a3cc5c4ea70e3154de92116c33807f3e39

SHA256
563ffe7cecdfb3fb3debd8d27ad35e38f20a28c46d1386f09e84c488193480bf

SHA512
ad9000c8d509024cf7a7091720b058cc46b0ebc5d336fd07f3859a655bd184cc4cd80bc888b4839eea6086e4bc7f754dbb408ec4f2a56d242035954559e72ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsoA.exe

Filesize
435KB

MD5
250ed888d2e244655a7d77d1dca5774b

SHA1
0f7b887b953ba90ddb8bd829e5663fc6dfc8012c

SHA256
a1df8a2e0b71a91f4c9fdc9617808ae1850de2c47e97485f7a93310d8a758722

SHA512
73310fc84f23d6e2ccce870a4dca7acf0d44e5f6288b5934391d4c64ca83be0ceaf1df35f8e22245bcc248f7788796bd7f24eec0ee0389f0e30d76358a732286

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUMI.exe

Filesize
435KB

MD5
9fa4483cfebdfb793bb02b0f3b66918c

SHA1
ef13ae7d152847e94d777acd2fa5cdfc708af773

SHA256
b3147b6bd5ed4a7ff139933c092af2bb309d5907a8dccf2abdafc5d17e70e88e

SHA512
6ba4f07f5d5c06cd8d50be3a8b93960adc361d2890a68209412b089ec12ece2ab04361d3a831e4a94f1a935a03391335e67e7de6b7f77edab1eb5f55537a226d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYgO.exe

Filesize
686KB

MD5
28b984d7677a582d793ddc1cdfac6e8a

SHA1
6ab2fc2ef943d801e899721898e93c92d45d80f9

SHA256
358078bd67145f558dcddd32acadb7ead3d821473d47a98411f899fdfbfd5379

SHA512
0bdda166aa47447b613821b3f2ae8300c3e6f8fc19b885e7c218ce9e9fc4a574e5f35ee952e0d2b60f70789414adcac45bfb35bce0d4b5252a7659ac2e2c30cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsQu.exe

Filesize
564KB

MD5
dfb124137bf8321830d2434d5cfafcff

SHA1
bd34dfa97dca30610c335e0d29ed028eeb900eab

SHA256
749ee9c838f68e25a14f7321473097f4ac015d69747cd8a2367af6edbc647ab2

SHA512
74141f79ccb22263c937765b7c1696640dde6aa5b862a9104217d927a4cd70c9e29d32e0e3684f4fceb4fd774482a3c8f46fdf780d40efaa9cbc41730262c03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcAY.exe

Filesize
438KB

MD5
dbc96ac7dd554670629219e68122c4d1

SHA1
c6e905802a688bfa5e6773df7dd78cc6194c25dc

SHA256
bd5ccfb52301f2ba3952a9381c3a1b0d66eb3c628070b13d03ea06b245c6d9ca

SHA512
006af6dcd375bb4da8e2a143734b4d4a4521558ad9dab88ad3ddb7c8d0426e294dc03767c6a5881d032776d81ff01b4519da8e91f0899c7a90f302db7423f631

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pooa.exe

Filesize
439KB

MD5
0f10e7b3d3cf4ba3bbd6f6db6df6da76

SHA1
5fb1f23258cb7730c967e43e5e2b3fabe5ea909f

SHA256
5f1c1ff3af51606dc1f966ffce9c23f1ceafa2226b910999475cb13aa50e8ca8

SHA512
815a9201202e695af62a87139c189856f77f965d7e08dc84c5fe8bdb0f363830dda7556782fc23ebb8c31599f7e2b36510e736937c82580bd09c87819cf08f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgAw.exe

Filesize
433KB

MD5
8946bee6f477c6e577c63e857546b3c7

SHA1
a8165f4a8aac8eaf64a8053ecf5ca1fb58683003

SHA256
3f3053224a6a327b3f16e1c19d4e4eb701abb557cee5fb0c865c5bb130e9f355

SHA512
720a156ef5345ae438e7a9142f9a378f20e79efce6e3e3e0083841bc605af908af26e2ddde316afe912807002c6171256295d5ee410ca743ab423e4ef560798b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsES.exe

Filesize
438KB

MD5
c6c67e7b939a2dce149e8436a3beb4ee

SHA1
e3a8c4cdb09baf3f83c957a1180dc18ee9dc5596

SHA256
e050b2c3a90f45599e3606c3452338e26cc91bd04d19fdf60bc64da2b73b2385

SHA512
72031a4c212d60b940e6e55e6930a04aad2a7c1a8bde31f8f834c79f31651820b7469389e149ae7eb2cfb2ebe02e718114010e3f56c831f59ff7e72851964511

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAEI.exe

Filesize
437KB

MD5
fbfe21fed986fb6c86c87b7a440d4cb0

SHA1
f7d89a260f9a7b8ede22896e18784d1cf79730ee

SHA256
87674ca9c4a184a86c8008fc5e41ae9517c711b4cb0b8b579b6068b039f6961a

SHA512
daa154f164af66cc50ab45fb0f176abf1d252c937e429e31233fdc2fbf7733e2b9b28b221770af61e4ce51b3571b424efae59dffe9b635edcca430538bb01e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYQq.exe

Filesize
437KB

MD5
fac9a7ec3d5c4aaee8b6fa18f0a03775

SHA1
41c9bae635fb9057e108a9d4023b2d383387d394

SHA256
adb22b25ea87fbe92c51fec8c251fe6d8cf07a4094b6f64b5e86610ba1c37011

SHA512
b26117c06e0a25af38c008ec9d2ac6dc2dbe00f8c6027faf020ccad04c346fee1e3de83c4a1c79353139855b82f7c70a947b4db99e78d804d659266e938a0f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcwI.exe

Filesize
875KB

MD5
e1ab8eb978338821c26289a54804f6db

SHA1
2561e92136b303045e8dea1ca78b4c4e16b4a2f0

SHA256
67a5ac9ec2474442446a39845323bd120a85c06f7ba29d0affb27492ea424399

SHA512
3d51f3bae11cde4e982e97454ce844f171aa24f3dba5adf92563eadfe4d3482126a121534231557945ebd04201dfb3a5550c15ce6b03ec697e59d10f0cf60b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twkm.exe

Filesize
474KB

MD5
9ae9a8995d39f32c0bbb22df30bc91e7

SHA1
ec957af6e53f5f8c066ee0092933e072b83f2bfb

SHA256
d041d2abd0d9bc83f87015abd78d99813cf01fa492bbafe53e627ce5abaa21d8

SHA512
4cb20c565240ae4752deea521c7dc2c3f70e330ed822aadd3c881246204c865ae445b61dcbce3e888644ad18201d9c7ee07163b9fc7646ca6df0f30ccfb1d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwkK.exe

Filesize
1021KB

MD5
6cbf3fd4334c55fd83a062ed483166c0

SHA1
f1135fac5c4a3b9654ba9fd35f74a7cc0a192d0c

SHA256
cd720eed9741ecc69e2a813d6e41e989df47f94eb1ff9981fc5401e4571c3f29

SHA512
b8f07e75573aaffd4d6ba70d7c5f6783bc6214ac7fa0d772eb6cf23db40e70d441fbf33d10d8200d44f1158c9f053d93166be609aae85773d5eccd832e4bce49

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKAAgcMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYsu.exe

Filesize
1.0MB

MD5
1404e45f96fe49442b7af7c0c4c1e607

SHA1
b947a966b0662ee6f102f2a05a24fec6d4d1a73c

SHA256
258c8afd7f9496792a6970006b59b6d3aaeafb0fce032d44e628b0eba8802241

SHA512
77aed05c03cc5d5f7946035ce5b0de6d61866b0384f0885bf977b0d9686a4d7d9b6eba392469682f600af795bf49f589d22e29efe15bcbb22bb1c2a232e3dff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsoq.exe

Filesize
437KB

MD5
2043911b11f8ad00af292167c6eb3acb

SHA1
aecf2ffd79877a3325ace0f61ea8e11f8139ec99

SHA256
9703f7e0d3e231762da76eeac4fc196aae2b6cfd255480ac4e5108f1ad350a44

SHA512
b727e3af06946a4bb7d732d028a8d612495f510f267a67e64c3ba838e23b9949cef791b89d8b51866433aa9b9f67f75514fde770d30310a2cf24717f4c314441

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIow.exe

Filesize
887KB

MD5
a7a6fe2ceec1718b93eb6a7809fe54b1

SHA1
a147405a0e8686463ab7c1416ff54cd9e8ac925b

SHA256
966fdf2fd1662a0936f50bfb7691828425737c3c3e2442aa8ed47342c6f4169d

SHA512
6ac9f967ec334c98659420ab364889c481181d0f02fc6447b3d9abcf4756f1507eea5c10e7a8b39560885e206edb0eaee8a99d10a7c7228e95ac787f30d68223

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMYw.exe

Filesize
437KB

MD5
ef206b142415b1329e17643e420954a3

SHA1
7a43bd0a8e6ee639d47bf65c9be38b7c0040050c

SHA256
4623cdd67beb3ce225297d2748a8d68576fbd9e4fcc54e8d934e650e532c7e61

SHA512
acc85b6f2d44b99e8d22e82f885c44a0c39c4f2c7b61c3dc471b30f2d379386b609485514c7cb7b374e5ac3062baad015fbb6057e7958ff1e870430aff97cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYko.exe

Filesize
435KB

MD5
dee796902cc0b8c204e03988892c169a

SHA1
1ec96cf89ff3c4b59701cb772fe70f9a0dc24f73

SHA256
dc846d8ebf33d90a37898da998f5a1ce5a08445319938234331b8b8dd0b0f534

SHA512
f834afac9576629ad9b15a9b45942a2f0c5863a8e6ff82eb922195f8e1625f0343a04e8f44295bf48f7debf8a5996358397a17be11e4db28dcb8eaff6a292a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgAc.exe

Filesize
6.1MB

MD5
17119b5b680dc04fe6c969fd0f90bff3

SHA1
556b15bb05e2dd6ae66edefd074f3e8ee3ebc55e

SHA256
01d7672f28f540d2bac49079e30f1c363bf8d110453c9d8fbd78f174334658db

SHA512
22b66f7f330f2c582b4c66619e444312b54e03d15e0420a71c7439545b29d2b096584feb15cb9c9fc16f80c0de47369b134293f25295db1f5cc11ceca63e2328

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEIe.exe

Filesize
466KB

MD5
20b16d7eb56c5cdcb30bf831e1568639

SHA1
bc6c16ab1d4629347ab3fa6caec5f66e5d0d56a5

SHA256
3d4dfdc927087db0fbd668859f226cdb1f3680cfb66e0d4f8437ec60bc31fab3

SHA512
4714972719cd10ad7b3b015bd781a8b90c97874a8e71edb7f29dfe186e11dcb0d37fedd1326a6f57f4508a2322304eb258be15dff531447fd926bf6ae139603c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acMi.exe

Filesize
437KB

MD5
52768f6b2233648089b790bc666fef92

SHA1
847091aa66a32f0eaef4dcc5a02ddde96ef06db6

SHA256
9afe01f5b55a54771f589ef471f3a6a7f999ad62f7cc105ed28b9d6719209568

SHA512
6c681b6eb97681eea20cfc737dd8963d5c642ad1890bd7cdb1e139051e6ca04dfc60ad2d7ce8e1aac9dd4decc8372046df99f8992e0b55e16a5a6f98d49aa996

Download Submit
C:\Users\Admin\AppData\Local\Temp\acse.exe

Filesize
448KB

MD5
d1c35ccdd4865c3350b74948898a738b

SHA1
a531b51c5f95893e2253ddb6c75b391ca08975f5

SHA256
83bbfdb819297688ff5b435215c823ac853397ff8811ea1ab9504c368ff5540b

SHA512
accff134420960bc100b33b45b24bb1fcc9747952a778eee5a388ad4789265541d3089eaee08950c12e6d01def76381890e84a050bdfe2abd983b1081c9f8ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUE.exe

Filesize
2.0MB

MD5
25d5b0dca11422a8d81cb7bcf8b25240

SHA1
fb384ef2b0b3fec7718d35e9fd00c3e2ad47dbef

SHA256
96a396de2b151196eb470b88c54d51f8b5f87197661ebf28cb054578e3fcca58

SHA512
53f9e12a8542e209ce64ed938c3d04ff5ae7fd140ee2cc56756ab92af73069d8001ddddf53b5d9a05d31af9c8e0860e43aea06a2c2a0c356a8b53fa58d79b13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoUC.exe

Filesize
558KB

MD5
a50b282594eb5bf7ef8fa8f2d77603b2

SHA1
63d59e014eb8f2ef81c5d9d9fa1e08c4b2438415

SHA256
acb517c3d3b1ad33069466c03d8da473668ce44a45b9e24ecae9a2169d678077

SHA512
ea6fd550e8f9798d25e861061563a49b31118572026df8122d5f98364d139ed76a9d4c925077c9aebaf36fef8a3de9f56ff5c26e603ea34a9225d08e87709267

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMkY.exe

Filesize
446KB

MD5
b8df2485fdf710cc0c6c14f2d1b66335

SHA1
1f34d36a25e052f13b120c9f93f22bfc826a7c5c

SHA256
a9f3febf768ffde4bdf14535cd6ae9e7cb4dc4aa48a3aa593f15f34ea827e287

SHA512
965d0af8f433c14de4475e76b671a0a412d33b456684f062235fcae207f2a99320dffa6279b45abfb0aed4ea9c355512a34a4d48f09da5fe234ce3b50c2cc6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d496103c4a9e8b738f8d73a30829c7a8

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAss.exe

Filesize
441KB

MD5
da2a17105d5a3fecde7fad904494ad83

SHA1
226ecc55f3b30fd2e918d18f606e62bcbc0f27d8

SHA256
8c458a1a05d51be53b623b225dd5b44b7d9e5ec5caaa5d401083b483fb2c745b

SHA512
526493d07c46b90ebdb407c2ab8d8436ec2dc41e1815b3ec8be425ecb90e9988fd4441595966e4a7451ba802cea7b66692958ddf59ac3a296e7dd9785bdaa674

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQEI.exe

Filesize
452KB

MD5
44063a138624799798f15d292352b8f3

SHA1
a2c795c6eb87eccc2c24fd06d109a23fea7f1ceb

SHA256
a6f00f042d080d716386cc05112b931846820535cea90cbb985f0df373939084

SHA512
cd26d93f8f9459aa8f4f049cf76e3e9aa4e3022fd7f32630cb53c685c83540549e87dc260a1ffa5cfa25c4b78bfe6433889d44758fb60ddea126444aa830a590

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsAC.exe

Filesize
1.0MB

MD5
c3f294773a022d70bc24788f031e41cf

SHA1
32de57f7b92eda4359e2d0c5f2290dfcd4086d81

SHA256
6fed8dcdb95fe212f155ee3cfb2b09325c33c6a3dd6179edfa9e3741c8cf27dd

SHA512
dc8ccb1ef0a7c86f8b09d6a70183108c3c8616a7c0ee27d1f2360c347da42b25943389913077c0c049eb2fcad119e94421e8722c3269fd937bb2b5fb766d8c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgq.exe

Filesize
882KB

MD5
1c025a177a5f7e059716aa6e3fc32a00

SHA1
de01eae101c133f47c80b04687350944c8cc9656

SHA256
82c068c09e7c5e78f41a20698c23abf7127462fea9f832f37b25fdb8e212955e

SHA512
9736edd4e9721763cc23b8716bb40cc2c20998dfb1b89c4076f4b5a677e47c802609ac285162858d1ea8d447b21883a37519df3d826239bc24f96587b45a2c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIk.exe

Filesize
1.0MB

MD5
d7b0a1e54ba096050c29305b42c194a6

SHA1
5417411c2a844fa4db85c0c677fa25219dcaff5e

SHA256
4c344f1a4b6437e1f4ab55c5cc830c65f8bfb38cc82862b55ff9aeb3422189af

SHA512
6a422c03b156434e2e7cd750b1cc1d88fdcc38402688b377b96ed5a131360faf3dfe9e39d6eda0639460c29d79c63ad7a27f2331bf0b0e97d1d14565aeef7976

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUkI.exe

Filesize
437KB

MD5
753e5b56b73e7a3b29a142470a15664d

SHA1
36f15b9583005a5436890a151bf84333ce4437cb

SHA256
8a27373e3ac6332d2cdcf5749d475cf58a336ff7e6b6a03f60bc4b25d52ce4e1

SHA512
2bfab5429c978d6a39482d048faf18cc9d8f596291f0b5d5d255ace657fe2291357f2768a190bd5cd73247207b7af0a88357b81db709b20d9c219e4598f3235b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEc.exe

Filesize
442KB

MD5
8b01d0fd9d1a7679deecacae6896abe2

SHA1
461291a22162a3a64dc70177d05096577ad7ba21

SHA256
8f6e874561c29c8cb9cd2b0632297c57c5e17d841b65c84a0037ce796fed4962

SHA512
ea46eb7af9c8a0556fe0b0642e164798b96c21d8d0fa4837a5f89c900016f376b71108ff01ce21bf9387ba8d4318818b6ef665b4209c0ff972c2985266df4141

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkoM.exe

Filesize
433KB

MD5
b9adb61b565cb99798ef3862e6b2abd9

SHA1
4740204df659962c4f61d20fcfe0a75adeb5b703

SHA256
bfedc6eb1044356f8c705c8458119c90160fc4fcb5d59be983accc57aa587f81

SHA512
6034cc788c7b5d8f50da23689e3022ccd1feb3a350dbb1255e0d221bf96ba60385b1912a6808ff69b73b9f4507cecb3029a67da538575a5505426fba6a8580e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksko.exe

Filesize
671KB

MD5
9abd60a46b9744d91ff8ac5cf03079d7

SHA1
1e7c0e05a27f4d49bf5aaaeb299170e3713e63fb

SHA256
14034fbc204770398faa779bc92c4d279a5bc489fe81a292d7aa4a7d7890b962

SHA512
683e5719e79b2a51e86bf7d82ca486d8927eca6b8938ff07c999ae568d18a4bf8fa18d0e2dd6f35f766572337330b00a02b1961c63d7a095de5d067301fb921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAEU.exe

Filesize
440KB

MD5
95dafc0e238caf9261b5f93f470e0fbe

SHA1
3a480380224d9819dc5982c40f78a83beb6597f9

SHA256
0d4729ac88dbb4a24835ba2cce840b8cc65e2bd1175092377b109704f9b41bf3

SHA512
4e7c5329cf8dee62b06e61daf4606211837fd2e420be55a535cfe5657491d5dbcbce33f307776b74c8416df624f34e0e1b656c76b8bae27018d6f4de3c045ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQIW.exe

Filesize
887KB

MD5
1de9be4b12ef2cb617e82b42f7918aab

SHA1
c236ea0e4ce41d5e772b38da63148127717727b2

SHA256
346143063fefe611fd5ec5cb022ff8118fb172c47d0198d362a045ab811c87fa

SHA512
4a7ec536ceac870bcc22eb364a1ad1638d7b5d72575f698dfd12c26a13e43f7c429e5187d69d3096f17557fa2bdf3590b5030a5ef1f142173bcb0402554c306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYAw.exe

Filesize
991KB

MD5
9454202f2066748c1e245d4459b53420

SHA1
2c3e0a5f3690513ef035735ad8fcb05a8dabe042

SHA256
43e29c8b4d7ec52555df002de3b2b5c1dc735e0f4dcba7ca2584d719addaddf9

SHA512
5d6afc53ffdc7e7171a18d0d649a095b62fab9926254b8df0bcb66581f1e661da0dc5335614851283acdf184b0417eee0145a10b0048623c2d0652560e125413

Download Submit
C:\Users\Admin\AppData\Local\Temp\okIE.exe

Filesize
1022KB

MD5
da39df5d3dade723abd894430bef67ab

SHA1
e8434e28d9d7660e732df45560f707603a20de2a

SHA256
6266db7f8ac50ca8aa8f3c2a7bbadd2952aee7289a34e000a35b3295e0263fd3

SHA512
faaa33aefdbfed90fdaf8f01f953415207dee9459e38e41fac705f91331494124e8c84aa58a8e8e957e12d9d4f26779e82ee6f654f99bbe1c5e02afdedcc16c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oooq.exe

Filesize
438KB

MD5
3005fd6d9ace925342e27a9635255917

SHA1
5d708156f37d572bf2e3e2e1d02433311cc37033

SHA256
b3b85bc11a050b42ff973b8fda0ec4cc615bf87c2dc6af66f2276b0971dcffd2

SHA512
1207e52b0c02b9e7595e9952ffaa49fc0532b61e2b20d67c4388da1731394b539b0a357efae54a29fb6cd6ac7dfddbee0179dd7ab501ff13b5312fb3bf02fe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAkC.exe

Filesize
670KB

MD5
bab61b257e18d83e22081ea0fa8dec2d

SHA1
1da4381e46ca6b1be17b87198a52247d931e5b1b

SHA256
31a4c00123b2fcf06b948b5d4c0d8c0490f5c112bbdf8da664476f54eb545f19

SHA512
184df91f643482d881e8d23079d73c4c97c439c412b245df40edb0d5bdfeaccfe740b9ad9d58c70e3924bce092fb8c1f634f9d1aa734fb6f0e5b08ef9c11e957

Download Submit
C:\Users\Admin\AppData\Local\Temp\rogA.exe

Filesize
436KB

MD5
808613239717f18def01970b53b303fa

SHA1
1b07ee181e1c309aacd6582f0025827bd650dd44

SHA256
3ca4a7d2221af6e00f921c9a5cd1804727ba39fc1da8bdd6fc5ba85ed8c0fc1b

SHA512
9f5dbcb85c71965d9e17a51ff757866ba2b718fae42459c49c8206e80d485a662dc12751621a9f1b17e7bb9a40ad1f78b8dddb1583d2908e81a723d03684f682

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYs.exe

Filesize
438KB

MD5
3549aec5203c194240fefc691cb57127

SHA1
3a8023cbe09b37ebc560254ea46012297246cef9

SHA256
e8a3893e1f9e1cd7e800b9e02b7e2034e26012dc529c4ab56b3a2bbea7b6683d

SHA512
b136165219f5240b98d334ef13d698ca067c76f8f05011e4e8ca1e44da18a223dfa42e4b9fa828ec2752baabd4e707eb61962dc9cce11a9bcaf32b8851560a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEAs.exe

Filesize
504KB

MD5
2c4e69ccc2b1a6fc7d0fa5bbfa57d924

SHA1
8ed2e16a9d32122044db31d8de02388d8cfa46eb

SHA256
c39e8c7680754b22ba19f7e39bf0f55e96522a3e8dee2ca37af74bd0a6cebde9

SHA512
ca6c829e2cb72111ead4ac864cb2cc275b34c07f1f66c0143083490f9f950b5eb472361c0b51ae114b7a23ba83f34bfb627be609be630b8023a9834bb713f364

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUQu.exe

Filesize
697KB

MD5
c111f87cc565bed6cb7a7c28147b3dc4

SHA1
7a1f4f7e6d5e0d0eb142504142c42cd8a6612f5c

SHA256
c5048d06a24b1d1919c734734e6b94919d7d392976c94bc8666daff9455140f3

SHA512
e4b9366f50fe3761ce0045f18cab3a891f502bd66dfe630b852f264ae447ef7523a5f2c7481f84be3c9e005f05c13a77c8be21cf83d882291d2efddf502dfdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucAg.exe

Filesize
443KB

MD5
6e9ec2031df2aaa64939cc10484852b2

SHA1
b41e155603840364e55ca592c90f2262fc2c6903

SHA256
6043773369762176524f36f0c1bc70d7dd896b9d28421752c915e73dbaec468b

SHA512
7846b7c9458fbbfdd6d362997b071028ddf707f8dbd7c1dfbb50aab757205ae6d7bfa89c992facdc9274a06ddb47dc6ad068e6b8687a91f07b078acd1d17738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMy.exe

Filesize
437KB

MD5
77484d1cfc9d9317f960011623618535

SHA1
b0b8596c92e66b665b373986bf03bd9278e47551

SHA256
30344a7b6c8ecc7de5104786bcb1dd76da172339d5df28aa97861e18e189ebbc

SHA512
9e1ee3ef9dde73ede423d8a55ac3726e123045164a390581a91e4591d8bc2fb8aca4bc27d1f7fe529e03965ec011a2e21e662f041b21c161874db74e7fca0488

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksW.exe

Filesize
436KB

MD5
2e38143192ccfbfab28e1d62480d2b74

SHA1
03d2965fc905faa7d152ea99fc7cd349d7ba9973

SHA256
bea86012af8f7c42af866ab959bea851882022fb55d4e9dec4c865953dff992d

SHA512
3d2b65454729411e54874194f93f54bd14bef4ffbf925292b4fcefbcf0534397cdee92691a4e0944b9d9554a01a9a802e62a96fb22dcbd806f5ad1ec7e7a7db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vows.exe

Filesize
438KB

MD5
83054dc16811e5a63b2b9e050494e7e7

SHA1
6b98236eee31dbe270ec9f940c2c2bf88ba6c314

SHA256
953a96ddfc86902bc01a4e9c98f7d314613477705b56e58af0faa8718aa11162

SHA512
5bec9b8baf72d2f52cd9ecea8f60386bd6f6b85c52226f1dc06dd67c862f38822c3bd116e49b605378b13ab666b3c1450ff0d39472c691470ad74b4ca48802eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCAc.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEcu.exe

Filesize
807KB

MD5
8a615f35036a8298a90617e249589576

SHA1
2e8e19eea331bbe90076b796ccecc813449cdf86

SHA256
c1268cf8b928d9386a6dc28f34c03b507cc431d4a178cf22c99bbc894ad46637

SHA512
9987345d31e259c006e4379b3a71feb6d7d79f2b5426b76344ae289a622e913ecc77020716fd5ac54b45e4c53073eb1dede7d78dc106c3983401ae78f747bde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsYa.exe

Filesize
441KB

MD5
f91faf65e29369325cc8dd20174bfd78

SHA1
ceb57f50878d31205958608ccf92840d950af881

SHA256
915ff17519a49836922452c480e5a6a57781698ac26ecba58a61d353ec0e394c

SHA512
e563f162c25bd87905c67f9af472c238a12fb3c421c874d83e0025683b6041eb861bce5ee2d1394f81d81147cc8f2611af224f34f921b5980ff6189d0bd6e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYwY.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywQO.exe

Filesize
440KB

MD5
062c58289a153a6d028c735e18258021

SHA1
14d5a483953cd463aacbe43f7bc9d693c371c08a

SHA256
6c041731b7eae89f0e1793fdc331cbc6e75b3c3129c800786a4373d2c132e6c1

SHA512
1e360944459e75619369ee62d8f711637c4ddc76e5ba0c75e7150fe0c200a3df364cffa23291e6c63ae52a4aa04012149f9a8fb7c2a24a4e40942b112facdf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGYs.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\jYcAggwQ\cCQQkwkY.exe

Filesize
435KB

MD5
de3bb3a151f5c87235ef0d6ef99abcdc

SHA1
7fd817f8e2e11f1d3a3f37b15062d027fdcd314c

SHA256
d5e9153919350e44a17a722e809623d7bfa3e64257f5549a7db29d0f312c678d

SHA512
8985758c37c9224a248de6ca1df8c37327111a79df7afe0e22598d1c487fe6a66736cec4df46e2d031bce111700809a5bb6cc916432a8e95f47ac476c13e34cd

Download Submit
memory/456-1016-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/456-1055-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/572-90-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/572-81-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1096-1144-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1096-1103-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1592-942-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1592-894-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1952-217-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1952-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2112-1025-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2112-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2112-91-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2164-67-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2164-55-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2172-366-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2172-306-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2208-1327-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2208-1319-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2408-43-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2408-54-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2616-1214-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2616-1150-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-1283-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-1291-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2924-573-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2924-497-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2968-1196-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2968-1251-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3412-1292-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3412-1300-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3416-77-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3416-66-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3504-410-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3504-450-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3544-1301-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3544-1310-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3556-30-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3556-22-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3600-42-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3600-32-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3800-305-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3800-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4156-92-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4156-103-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4244-780-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4244-832-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4388-1318-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4388-1309-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4488-656-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4488-621-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4572-1274-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4572-1282-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4616-772-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4616-713-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4780-6-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4780-120-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4812-1329-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4848-134-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4848-146-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5044-226-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5044-1273-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5044-1266-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5044-257-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download