aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Size

610KB
MD5

da97e6d9e3508bb209c851da4aaa8f2f
SHA1

f7f4888b4a08c7433169fc045d05d8f9561d58ba
SHA256

aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
SHA512

8b8193e39881157597b42a87303d0cc031fef10b646e661a74eebf42e66debfb0c5b4700c8a226a0b73dde8b9708812874c18d41e57e89d718816a3d16a215f3
SSDEEP

12288:b4vC5gvNcUHXg+mkoBIZuEp++7PVkb41gx32rT:b4vCSvNcGXm1IAEp++Ba4mx

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\UUokEEoU\\PqoAogMc.exe,C:\\ProgramData\\SeokIEAI\\eIQIYgEQ.exe,"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\UUokEEoU\\PqoAogMc.exe,C:\\ProgramData\\SeokIEAI\\eIQIYgEQ.exe,"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\UUokEEoU\\PqoAogMc.exe,"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\UUokEEoU\\PqoAogMc.exe,"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	TmMcIMIk.exe

Executes dropped EXE 3 IoCs

pid	Process
1332	TmMcIMIk.exe
3596	PqoAogMc.exe
1140	QIcQEQUo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KIgQUcQg.exe = "C:\\Users\\Admin\\yKMcQMcE\\KIgQUcQg.exe"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eIQIYgEQ.exe = "C:\\ProgramData\\SeokIEAI\\eIQIYgEQ.exe"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TmMcIMIk.exe = "C:\\Users\\Admin\\EoYIcEQg\\TmMcIMIk.exe"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PqoAogMc.exe = "C:\\ProgramData\\UUokEEoU\\PqoAogMc.exe"	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TmMcIMIk.exe = "C:\\Users\\Admin\\EoYIcEQg\\TmMcIMIk.exe"	TmMcIMIk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PqoAogMc.exe = "C:\\ProgramData\\UUokEEoU\\PqoAogMc.exe"	PqoAogMc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PqoAogMc.exe = "C:\\ProgramData\\UUokEEoU\\PqoAogMc.exe"	QIcQEQUo.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheStepComplete.pptm	TmMcIMIk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\EoYIcEQg	QIcQEQUo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\EoYIcEQg\TmMcIMIk	QIcQEQUo.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	TmMcIMIk.exe
File opened for modification	C:\Windows\SysWOW64\sheGroupUndo.pdf	TmMcIMIk.exe
File opened for modification	C:\Windows\SysWOW64\sheJoinBlock.jpg	TmMcIMIk.exe
File opened for modification	C:\Windows\SysWOW64\sheRemoveClear.xlsb	TmMcIMIk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4356	1820	WerFault.exe	654
3612	4484	WerFault.exe	653
5108	4556	WerFault.exe	656

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1208	reg.exe
3648	reg.exe
3404	reg.exe
2568	reg.exe
2376	reg.exe
4812	reg.exe
1352	reg.exe
3492	reg.exe
1416	reg.exe
4072	reg.exe
2540	reg.exe
2400	reg.exe
1532	reg.exe
3704	reg.exe
2320	reg.exe
2092	reg.exe
3592	reg.exe
1840	reg.exe
1040	reg.exe
4208	reg.exe
1568	reg.exe
1496	reg.exe
1128	reg.exe
1496	reg.exe
1840	reg.exe
3708	reg.exe
2668	reg.exe
5020	reg.exe
5072	reg.exe
2164	reg.exe
3568	reg.exe
2836	reg.exe
4660	reg.exe
3980	reg.exe
2096	reg.exe
2052	reg.exe
1164	reg.exe
2504	reg.exe
5108	reg.exe
4808	reg.exe
5108	reg.exe
1044	reg.exe
4052	reg.exe
1316	reg.exe
660	reg.exe
4780	reg.exe
920	reg.exe
2464	reg.exe
3304	reg.exe
4708	reg.exe
2096	reg.exe
3924	reg.exe
2164	reg.exe
3256	reg.exe
5072	reg.exe
4060	reg.exe
2464	reg.exe
4612	reg.exe
4880	reg.exe
3060	reg.exe
5108	reg.exe
4928	reg.exe
2424	reg.exe
3960	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4624	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4624	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4624	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4624	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3508	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3508	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3508	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3508	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3404	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3404	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3404	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3404	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1552	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1552	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1552	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1552	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4800	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4800	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4800	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4800	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
3712	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1044	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1044	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1044	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
1044	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
408	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
408	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
408	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
408	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4792	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4792	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4792	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4792	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4544	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4544	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4544	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4544	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4368	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4368	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4368	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
4368	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2400	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2400	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2400	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
2400	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1332	TmMcIMIk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe
1332	TmMcIMIk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 1332	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	84
PID 3876 wrote to memory of 1332	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	84
PID 3876 wrote to memory of 1332	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	84
PID 3876 wrote to memory of 3596	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	86
PID 3876 wrote to memory of 3596	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	86
PID 3876 wrote to memory of 3596	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	86
PID 3876 wrote to memory of 2108	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	88
PID 3876 wrote to memory of 2108	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	88
PID 3876 wrote to memory of 2108	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	88
PID 2108 wrote to memory of 4840	2108	cmd.exe	90
PID 2108 wrote to memory of 4840	2108	cmd.exe	90
PID 2108 wrote to memory of 4840	2108	cmd.exe	90
PID 3876 wrote to memory of 3588	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	91
PID 3876 wrote to memory of 3588	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	91
PID 3876 wrote to memory of 3588	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	91
PID 3876 wrote to memory of 1352	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	92
PID 3876 wrote to memory of 1352	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	92
PID 3876 wrote to memory of 1352	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	92
PID 3876 wrote to memory of 4760	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	93
PID 3876 wrote to memory of 4760	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	93
PID 3876 wrote to memory of 4760	3876	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	93
PID 4840 wrote to memory of 228	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	97
PID 4840 wrote to memory of 228	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	97
PID 4840 wrote to memory of 228	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	97
PID 228 wrote to memory of 2224	228	cmd.exe	99
PID 228 wrote to memory of 2224	228	cmd.exe	99
PID 228 wrote to memory of 2224	228	cmd.exe	99
PID 4840 wrote to memory of 2464	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	100
PID 4840 wrote to memory of 2464	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	100
PID 4840 wrote to memory of 2464	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	100
PID 4840 wrote to memory of 5096	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	101
PID 4840 wrote to memory of 5096	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	101
PID 4840 wrote to memory of 5096	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	101
PID 4840 wrote to memory of 1580	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	103
PID 4840 wrote to memory of 1580	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	103
PID 4840 wrote to memory of 1580	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	103
PID 4840 wrote to memory of 1068	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	105
PID 4840 wrote to memory of 1068	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	105
PID 4840 wrote to memory of 1068	4840	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	105
PID 2224 wrote to memory of 4120	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	108
PID 2224 wrote to memory of 4120	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	108
PID 2224 wrote to memory of 4120	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	108
PID 1068 wrote to memory of 1436	1068	cmd.exe	110
PID 1068 wrote to memory of 1436	1068	cmd.exe	110
PID 1068 wrote to memory of 1436	1068	cmd.exe	110
PID 2224 wrote to memory of 3332	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	111
PID 2224 wrote to memory of 3332	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	111
PID 2224 wrote to memory of 3332	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	111
PID 2224 wrote to memory of 2504	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	112
PID 2224 wrote to memory of 2504	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	112
PID 2224 wrote to memory of 2504	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	112
PID 2224 wrote to memory of 1664	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	113
PID 2224 wrote to memory of 1664	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	113
PID 2224 wrote to memory of 1664	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	113
PID 2224 wrote to memory of 3480	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	114
PID 2224 wrote to memory of 3480	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	114
PID 2224 wrote to memory of 3480	2224	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	114
PID 4120 wrote to memory of 4624	4120	cmd.exe	116
PID 4120 wrote to memory of 4624	4120	cmd.exe	116
PID 4120 wrote to memory of 4624	4120	cmd.exe	116
PID 3480 wrote to memory of 2576	3480	cmd.exe	120
PID 3480 wrote to memory of 2576	3480	cmd.exe	120
PID 3480 wrote to memory of 2576	3480	cmd.exe	120
PID 4624 wrote to memory of 2668	4624	aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe	121

C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
"C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\EoYIcEQg\TmMcIMIk.exe
  "C:\Users\Admin\EoYIcEQg\TmMcIMIk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1332
- C:\ProgramData\UUokEEoU\PqoAogMc.exe
  "C:\ProgramData\UUokEEoU\PqoAogMc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
    C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        8⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        10⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        12⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        14⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        16⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        18⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        20⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        22⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        24⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        26⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        28⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        30⤵
        
        PID:1252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        32⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        33⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        34⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        35⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        36⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        37⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        38⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        39⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        40⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        41⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        42⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        43⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        44⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        45⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        46⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        47⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        48⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        49⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        50⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        51⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        52⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        53⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        54⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        55⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        56⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        57⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        58⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        59⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        60⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        61⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        62⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        63⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        64⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        65⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        66⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        67⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        68⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        69⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        70⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        71⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        72⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        73⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        74⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        75⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        76⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        77⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        78⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        79⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        80⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        81⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        82⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        83⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        84⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        85⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        86⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        87⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        88⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        89⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        90⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        91⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        92⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        93⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        94⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        95⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4352
        
        C:\Users\Admin\yKMcQMcE\KIgQUcQg.exe
        
        "C:\Users\Admin\yKMcQMcE\KIgQUcQg.exe"
        96⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 228
        97⤵
        Program crash
        
        PID:3612
        
        C:\ProgramData\SeokIEAI\eIQIYgEQ.exe
        
        "C:\ProgramData\SeokIEAI\eIQIYgEQ.exe"
        96⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 264
        97⤵
        Program crash
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        96⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        97⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        98⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        99⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        100⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        101⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        102⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        103⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        104⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        105⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        106⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        107⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        108⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        109⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        110⤵
        
        PID:2104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        111⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        112⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        113⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        114⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        115⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        116⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        117⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        118⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        119⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        120⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        121⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        122⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        123⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        124⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        125⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        126⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        127⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        128⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        129⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        130⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        131⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        132⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        133⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        134⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        135⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        136⤵
        
        PID:848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        137⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        138⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        139⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        140⤵
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        141⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        142⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        143⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        144⤵
        
        PID:804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        145⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        146⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        147⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        148⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        149⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        150⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        151⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        152⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        153⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        154⤵
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        155⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        156⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        157⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        158⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        159⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf"
        160⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf
        161⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuEskosw.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        160⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quEIcMMo.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        158⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQsIMMok.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        156⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqoEMYUM.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        154⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeQQMYYA.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        152⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmcEIsgI.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        150⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQcwMIAk.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        148⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies registry key
        
        PID:1316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGcEMksE.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        146⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMEsIEYw.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        144⤵
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuYIkEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        142⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwsIgssk.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        140⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMMcYgws.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        138⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmUUQMsM.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        136⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcEEwwcU.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        134⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqkgkwwE.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        132⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKgIQYYM.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        130⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiUscAko.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        128⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSoAUsAY.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        126⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CywEUMsU.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        124⤵
        
        PID:792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsEIMsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        122⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgkssQgg.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        120⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmIsYIgA.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        118⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYogkkIA.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        116⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awwUgwMU.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        114⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQgoYIUs.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        112⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkwYcoEI.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        110⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKcgYsoE.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        108⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOkoIcgc.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        106⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOQUwEos.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        104⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOUgAAUM.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        102⤵
        
        PID:4308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwMYMIcg.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        100⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LccYoIQA.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        98⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyMEUscQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        96⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyYIIAgw.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        94⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqAEMMEs.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        92⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKYogIcw.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        90⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncwowsQo.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        88⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUUgggQY.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        86⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AukgEkYc.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        84⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgYQEQsM.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        82⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkMcUMEg.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        80⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaQswQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        78⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQMwIQMs.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        76⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWMwAEAs.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        74⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUUAgswE.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        72⤵
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAUoMIgg.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        70⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuwwssAY.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        68⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaUksIoo.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        66⤵
        
        PID:1252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeYIMMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        64⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuYwsUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        62⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmUIgosk.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        60⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAEcwsII.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        58⤵
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WagwoYgY.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        56⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmYAUEkg.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        54⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PskAMcEg.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        52⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwQUkEIo.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        50⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgAsAIcA.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        48⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIsQIIUI.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        46⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMwQsEoo.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        44⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TokEcYUU.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        42⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOwcQoIk.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        40⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekcEMkUQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        38⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCkYsoIM.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        36⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKMsIUQY.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        34⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQcUQsMI.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        32⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEEEIQUk.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        30⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEMEogkQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        28⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isMQQQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        26⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQIEkggc.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        24⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmUwoEQE.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        22⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAEksEIA.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        20⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LucsMkIE.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        18⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYYogEok.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        16⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWsoMsIA.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        14⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUwkowwM.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        12⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGoMkUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        10⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMkgswcQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        8⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOUMsIwI.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQMAAEYE.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1436
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1352
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vykwUMEI.bat" "C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf.exe""
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3680

C:\ProgramData\lGsUEIgI\QIcQEQUo.exe
C:\ProgramData\lGsUEIgI\QIcQEQUo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1820 -ip 1820
  2⤵
  PID:1036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4484 -ip 4484
  2⤵
  PID:552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4556 -ip 4556
  2⤵
  PID:4656

C:\ProgramData\QssUIgEY\QKcwwAYQ.exe
C:\ProgramData\QssUIgEY\QKcwwAYQ.exe
1⤵
PID:4556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 260
  2⤵
  - Program crash
  PID:5108

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv x876pGx6PEKITSf2koLmmg.0.2
1⤵
PID:3444

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
629KB

MD5
a98b432f93bff4cf993be29a8c46c16a

SHA1
4ae3e62db4d6b3c81ef8ef1232c282a95a11ee2d

SHA256
7f83be131e477ee1cfa241365ed1e16a1ace7566af14731eafa080f0318d50e6

SHA512
b9bd2778d6e17f57bf0cb34d998821da729c77ac88504d1c6a3a06357dd6b37ffa5ac163758ee440eb77b5366dd9a4f3dc22a7fd6c955496b408c37d6705410a

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
1.0MB

MD5
1f3e0a5650842fbd8fd155abcbf36dc3

SHA1
0c8fc95cda1fd21d09ab1da5ceabcc9786f9d1d2

SHA256
2b102dbc5ddd8953e2ae3a46ec9717ad348b22566856f1334d2b77be9c5ecb68

SHA512
99ffb2329dcf1c7336f46ec0c8b0607be988342b3b0d225504fcfd8af15be0f1bf5502b90d2b194a9fa2c0c93f9cbc59669e04b31f813613e828763a2d990459

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
1.0MB

MD5
525e91c632f2262aa3878dfc587f30fa

SHA1
2f39d9d489415b6d3b209a82bbc358dcc5351d6a

SHA256
7fe1f224409a7419a2d60f66e0049f071878fca6ff31f1c9bb88dead348987bf

SHA512
7cd545e6dc3fd83d4f4f75f65d5fc741a6c8b2e8433f427b61d85e079ff367eda4fbf76e8a8536c31236cdc99390a0fb21f1f6aeb8160cbc81f4a0ecc10713f2

Download Submit
C:\ProgramData\UUokEEoU\PqoAogMc.exe

Filesize
604KB

MD5
53dfb813174d93f6dbc28de41374a374

SHA1
1b7967fa1b87a1448a39c1dddec93be91a608edb

SHA256
5b90e367ac48a47349905b2a922e90bc17953f00bb5032c57904774c7f084fbd

SHA512
8a65bdec589077d5a10d5a5eb476429c94f2021124959ff8050741c36419c85f2364805c6e1a4b78c7d798a356a5e572767f30201997a04b126fdcfde339ccff

Download Submit
C:\ProgramData\lGsUEIgI\QIcQEQUo.exe

Filesize
603KB

MD5
279e6baefa376140950b358383b3a59d

SHA1
03e0e28193910ddc10caa9054666398072b6d219

SHA256
d1a66d8a2045f9da5e09c6a67272d5f486b667ff07ff2ead8b35c304823bdb2f

SHA512
f2875bced13df2c791d7dea25a464679316a48316e55d4bc71ca343593eb7557489816ed87be6afc8edba5354d06aea27c1468425892d256c8708aa338a6e650

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMUM.exe

Filesize
609KB

MD5
ec1f7cac0d5354c8dd99a65342a9a28a

SHA1
241ffa618077898fdf42aa88bb8927f2bb21867c

SHA256
e57fd679db799b1e117958fce3273325959242e09652da1d30ae82420981849c

SHA512
806c0ad079ad56971504bbac7230201c59e48dbeb1c8b3217c8056c7d3b6956b8a191f9cc1f251ab14fd09fe681d044d351260f209175a86070370e68d09ec38

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQku.exe

Filesize
732KB

MD5
9c230d58ffa7952d0c1781cc360616d7

SHA1
4e90e6d1f1cb47f6ca4e1eadaa75467b30390282

SHA256
5f48118837424ab08409d9120706169766b54bc45a6bce141ea0fbe61f74bdd9

SHA512
19894fbe66cf02787a2efef62af34087a1577260e126724347766f3b2e88fecb5fcbd4a302f3093d3c35ed5ecac464b33841d0440966761bae0aad2da7788954

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsoA.exe

Filesize
1.2MB

MD5
7134d481d3c79ab3ff06bde80ce9e0b2

SHA1
ea62bfde251451c9fb7c9c7369d090469e49f5be

SHA256
16f3893061c723f7f28a452c58ad770bc6caf1445cba24dc467873eae54615aa

SHA512
7fbea32b12e1a66ebef0c62416e6709ede19a67eb345b2ce9bc3d67a1433d28cc21012e6f31ed05003241ed5570e65cde2ba13065350a34dec6a7c15327e7885

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQUs.exe

Filesize
1.1MB

MD5
09eb85310ea1cd75c4fd01e75fc603ef

SHA1
2a999993b354aad05f9d127e54567a061f45f7d0

SHA256
4d4d20d87c4e7b06155827c9f1ac4ed55c5975fe01011e4e56a32b93accb3e90

SHA512
48265d67cb02ece274803724669e68fb94ef70234bbfdef78d181cd1a60e83ed3d72a068d3de3a0468f86a06bedaedada9d460beac329f7b57de74ff2bbe91c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwo.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUsA.exe

Filesize
614KB

MD5
3844aa87e76256fdd2035e81310a6c1c

SHA1
755b5783a6cf2d97df57e0d91ac54f343a773408

SHA256
3e2b2c7ea872b49433e5239beedd00268284c78d2d6827b448bfba02ba8f05be

SHA512
b78d33fd54ee5d86b2c629b713fe50802d34e580d8ee664e29a9fec8620bc183dc40395ae940959e7455132eb14dc04b147bb97fed3d8a773fbb6f500b539f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcIY.exe

Filesize
610KB

MD5
84296d06a0f17869339b95f290a7a4e4

SHA1
9abd9646677ab324060fbf28d358b552f890bf5a

SHA256
827a7b3445540c25889ee46bc2c2d65f8c7e0ad9f28fd42fcdb8606be110b293

SHA512
b41046f86aa1eb0af5100b93827ee8ed16a00f9dcbb7effd666e8c2c5026a75a97eea091852125fe23d33967531c7558cb0b36c0007b01d9a538ee6a325a3a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQMAAEYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikcm.exe

Filesize
1.0MB

MD5
3b9446443583d6cec26433de24caddad

SHA1
c218ef8c7a87ba35288df24f7a1ff4eea9252e6a

SHA256
f9532ce88ecd48dab38ee6b213cbab4cc51c7a98f51e07e200c5c331769957a7

SHA512
41cd1235473277e2ce2d41e6479eef251f9af1d9e379362dbf20d4f4d0f818875dd657d395686d008c8658d0a0299e89ab2bd36a226c40371d6c2a30cd0e0437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwoM.exe

Filesize
1.2MB

MD5
b485eb8dccd2d91ff58b051a843937ba

SHA1
6bb82cae2d74272f15a4106512673e7d77c90948

SHA256
0eff7ff520d93b9183eedee951a39a751221039ff7b3fe989e3081eb14668beb

SHA512
0857e651ee626bf789357c504f9bfd761655539db10699ba3fd29b6770aff9b65e85c08ce8d0c94ba93a8beb9e0d4e32cf45f3f2d2fb07ff685fb7a7db142122

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwm.exe

Filesize
618KB

MD5
71b0351f9a1ac3e8f6391e61de22d714

SHA1
ecfa418f7dee98f20ebd55923616e6a1dc73cc17

SHA256
75b54c925bd26635be7eb05cfb91bfbda8fe03bfb14c567a155f59602c563926

SHA512
cee9a4f62a613fae2dabe8ea3eba4b36d6b8382bbe006aea7f32d0f251aedf12a79e90c5020e02c32b055d75ffe4545c8a8294e232787ba0fc249d8c602a595e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kocg.exe

Filesize
6.3MB

MD5
a1e3988b31bf556f3152bb9d02d77c31

SHA1
fdad04b49880024e80a8f33f640e5057819c99fe

SHA256
046f40c50741e654fdb31ec5d6daa79fffbffdfd6d6a25076b42f609c1ba84aa

SHA512
866db04b0c9282408af2654c9c585d93dd908a175e942929291ceafba95055d3b16416de0c7a01fb93f073535950ba117d7dcc079b4ee7aba3a65cb41e1f302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsAu.exe

Filesize
607KB

MD5
bd483be0e69e108d15a561548d6f6a4b

SHA1
2d55d976de2f4193e4679a92c1c071e8895d7ae4

SHA256
f3ed92d5a2f509922f821612437e42bd71271004ad56875c4a4ab7a6dc6396be

SHA512
655b90d901ed77dbb008610dd083b5a0273be0e08be6680a975d9f30faa5f1725f8a525f7a35b026419862cd60b5ff2894c5cfda5d81602b23cad7c3e7e70773

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQU.exe

Filesize
615KB

MD5
4ce2c3eb228a29e54c328479555247a1

SHA1
98254fe7d1ce2e6c0a2c95efa706f9519d90b35c

SHA256
e1fff734052884f2729f6a05daa9bd62a02739d6595bc2c64c42f838e2285871

SHA512
267d43ba97119dc331721925250f4d96974df1de50ab89d59794a08295f9af1400224ba5030d0ef06c943b0bcb5b5ba7c35cb3d156202e00c7907013e343bf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIU.exe

Filesize
610KB

MD5
67a3fd3f829e858e2920826fa30cb3c0

SHA1
a981b50a0f65d0081041081a5ce21c46d4e58d63

SHA256
9555b5d94d1865a58b635d949705a4347677e2638679447bf94027fe0f4fe1a5

SHA512
28d8d63da8460dfc5a97439ffa8bb674f1b4734a217a01c95c056a2ede035bf6849800132119081d677b3dc3a30f00b81e8a4aa3715fd058abc295759dc633b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIso.exe

Filesize
618KB

MD5
a0fef9194c99b1468ede4a3093ba1253

SHA1
98d6db37828bcc29f2a886a963eccbe2c86d663c

SHA256
32cad3a0d2c0ec1f085e86894f701bea5c1bdc6962d0a727ea509967810a0f12

SHA512
0a42c39cb36857128866f63a76a8ff82b2e7e4cad576030d132e70a815ac760c51b51b08106cff0476597db7dba15c9b8a26c9fe323e99f2644d9412467070d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMEW.exe

Filesize
1.2MB

MD5
920410232c8da871fc8a93332ff76228

SHA1
1d03f4eeff03fe8da7d5b5f1af67d66f122c4fa9

SHA256
d131ad539f71341f7821eee3e358cb1c486627bcb07cd02b76b24db5f5cfe41b

SHA512
b23ecd192009642e5edc0b13d17f99153d362b15ce1a41857ee527068fbc2f0f040d8843d1b34b0d7a58a36550058458456288ade5521fc33ed395a195b1205e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQkW.exe

Filesize
612KB

MD5
5b8c529984ac86e39f8b555f70be3426

SHA1
ab3b4a5eb44222dc9741de2d0813cbf8129d151a

SHA256
32b5f88a386a864e057ad97d5d6c14a18f782943eb0732782c4b3e5e746e1175

SHA512
27dd8d8199e9ddcbfd76ad0e1426fe95ad27a65fcbe5c17066613089e0942dbe7c15280e7cacd99bcf5cf44f0864da7bd41e593de8d626108b5044f443d10bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEO.exe

Filesize
616KB

MD5
00ff83959aab8132818bff091e45c3b7

SHA1
6f38f1ab2ebcd3274134f81e895312e5ba273634

SHA256
228b6ce7ebaea31a1dc73c7e1077c9c0c68f09dbba717027b6727075317285ff

SHA512
88757df52bbf35b508461a2e72f931da35398eeb2e411d72f75aad6acc89ea5921dd41ac8a47183b9dd374971b8011dfa279a0d6ff04be99d9e6679f637193e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsMy.exe

Filesize
675KB

MD5
8d6a8e707e142abf7826af678d5ec38e

SHA1
65e9c38a6733a16c286f9d9b5fb6de32d6644740

SHA256
c77c72fa5c7d6caa0c23d052fb8c5a5cb67b98c4e9c2e479eca4b649010e665b

SHA512
6e9ef832e7ec318716d729f09152e28e81a3bc5c323e4ed221f6d02920eab423b140075f0f97281bd841933f2389e7c9769ae4702fb345450813a9aa91663d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oscs.exe

Filesize
1.2MB

MD5
1d4556e48efbf9495ed9d4dd46b48bda

SHA1
eca81e4f5a5bcb66883d77fb450cecfb6417acc4

SHA256
d64355eb6d461feac3a86ad657085d54b894ce294b8f508dce0eeef2bd6a510f

SHA512
568c4c055da5d7dea540f8829d4301f36a293686a6177975956dabe0285cdc1a4863dfb84bf56c1876671b148476ce6733dddd6b65510d10de0decb445ccde80

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAUk.exe

Filesize
730KB

MD5
df503c41c5b166485900fbb7afa06c1a

SHA1
a67e83add7ced57f56e18164f708afaa89fe0e5e

SHA256
c6768b98bff17e9d518971671f9ce94ff48bcd2bd0312c85cb64304259403b2c

SHA512
5e18e33d7d706d61eb703896cd8833dc578f73b4cf58e0bf044cb66246d9e52671f9cbf2333efd412efad12b47e9494f77f2c7132f029e55ee293cb26978de2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEcA.exe

Filesize
614KB

MD5
32113ea748218c986deeedc44b56b571

SHA1
299e3acffd9ec4fe2076db7a1318e5afe49ebd19

SHA256
5eba8dfa46a9b01e2afdf221d71ac76423c434e7d70c5b1f96e736bb2ed1508b

SHA512
f7b81019952ab9104030d909fd64ab2fa9182e6f3a6f0ae9265b7a516822985e436c7a3e1d2b94fb82793ebd69cf0095a8e7355e36de3dc288fab03f105a1e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMIy.exe

Filesize
611KB

MD5
4d79bcc6fb2598691d8daca3f1be1ce9

SHA1
46d1a3e9f45deae73857dc97a980933a528aa6b8

SHA256
4d842b941bb191bd751f080c3e38ac4c01d40b653ac79e105be6427419393f8f

SHA512
7137bc3f839614c8fb60d730089c02f6045c2a35b33a793b9dab7fb2873b6e2537f9928a345eece5e24a5a33e57debe977a1d3d4dd10cea7f96a74cce4fdea78

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgUM.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAEi.exe

Filesize
614KB

MD5
b519e31d274e4201b26f14093174c5ab

SHA1
2a9bcfd7624da175f20ab786cf691d8f04d3278a

SHA256
0935276156a57d60bcb484aca784c5e37c5c82db2e4ab6f74ee470e52ca39ab1

SHA512
4643ee1f00bb80dc1bde8526c7b18b31def86a439058d50a7d36d2023141edd2b1e7c367d879ac6ff3a8350319a54db33fe5ca119821d867d47cb152ffde9ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgkk.exe

Filesize
609KB

MD5
f85fc06c8ea798d4ac021aa9d9dadf78

SHA1
248fdc15b6109a0e3c6cfab817ecafb9f54e60e4

SHA256
97eff0944f11dae7735fe64b1e729da790d5abfda1dd497e94c91acfb05883f6

SHA512
3ae4faa3ce854851a8a85f6f79511f6050b12fea4004c25ecbd6361a76c2418a98195d0c404246c534f9ecbd0f4de5a3b327bcfd6392f08a343a0ffb4d131c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkEa.exe

Filesize
1.0MB

MD5
14360ca37c157eddf7342c490dccdf3c

SHA1
1da50d21492af2a322b8c54c0dd8860968060bc6

SHA256
e50af815ab5e9c7ccbc1085e1d96a85c4a15556c0f317f913808d6004f18a785

SHA512
e7b360620ed884c379bf563e7fd58b556534e2a22a0cfbe413ede5598281eeffd1e781daf5b59fa3d01b69b40bdc650f127b8f058d0d623f5add1fd7d4b1f5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQq.exe

Filesize
617KB

MD5
cf469f2c3452b5484bfe3955db13461c

SHA1
d093ba476655ee1d0b74962778d2ae764f00d436

SHA256
572b2106aa6e43db64e67ea415a680f290558def345367deb6051b25dfba6cd0

SHA512
6368dd8e551e079918eab7da03bd9e31fad45f740fd1efc34a72fa0752b00c78734317ef4f61dddc52b1f6987039d224aac066ba05b9508dfabe746cc871425b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukcq.exe

Filesize
1.2MB

MD5
3826b7a637be0c4176bab7481e036c47

SHA1
9a7cb8f433208ad791fed471452512625f8f23fe

SHA256
b348230b768e6cca98d0e7d19ffc6f1993aa22f46c4b243e068362dd02b7961d

SHA512
9fd6836043644eb017e3151f0638e245f992f8cc19a47f0c00cc6e8ef7ad67f3e78de87565574c4eeac49248a95541a4bb4a60f1eb960e5138f882a5b2b13c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukog.exe

Filesize
1.2MB

MD5
19c6059e393b78231acfba2047fe5feb

SHA1
5d94979a123ae201f10ddd7599df4d8526691a79

SHA256
10d96674e2d19433a03fbe90f7b4c87ea46a6f6ce97d4435babeefa2dfbda0dc

SHA512
27771b27ba5aa3e9e987308249a13041d0100f1bb8419c07c34781b787706c6742c0c83599aea3d02f4f7f74a10e503906799ece7f88c4178281f0b9a999614e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIYW.exe

Filesize
605KB

MD5
7c9aad8d8f0940ce2168e5dbae541d50

SHA1
592b9df715591e71217661758933b8bbebd1da47

SHA256
387a1e03b73bfab6fac8f3bbd952ef65cb40716a8d4697e55f8f95a4b7b965fd

SHA512
bb4db1867e73103ced08dd1f2f7472e7127765440c3f0557d0d824673bc56476412c3fdcb97c7a521df5cd8395d6a52908342eb01875ad80b210ab16b4e0f034

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMUM.exe

Filesize
608KB

MD5
22068857d5023c02500e67c6745cb444

SHA1
062b8060c12ca3e3c2de056ab6cb89bcc1383176

SHA256
011c14878540dbe98f32f40c77ac0ed568a4d3eeda8be34ce9356b919fd89ab1

SHA512
a20faefe0861822c58e8eea2e5a3b7f2886c9dbaf7cd743d84eb0de06cfe7d788616c536e8d6da92fa9e3689b366f56fe94eeb73a2401f46f1a0506ad4d0c402

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUAm.exe

Filesize
2.2MB

MD5
5039b1400937ea83c4ac9c70608af726

SHA1
283df653d6c58434adc4a1381eee244d0cfb794b

SHA256
672e950e1ea5e26f432572a694f3a462d69b355383270fc1bbea39546a705fb0

SHA512
ad97cb49d44cbd83392a140067c82231b35e4dd589f0ebed5c1f5fd14541f8c1fea6f922f4767e506778bb5bf5dbd00a8b9b281d573cc4032038676ef108966c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wogm.exe

Filesize
624KB

MD5
1365435a418a6c5920e40a4f19692ced

SHA1
2b03706bafd1ce1497267a914ca7baa2d4958faa

SHA256
ebb1a41086bbff54be22d8d66864ddaf87c76e517f18b9665be16e7ba886c5e3

SHA512
ff115c7c2db643cfd298b3f7d2d52502980259b8d9a814e3c7401cb79f47a0ea0b6600349f29d485d05a8d7438dd3549527583d1aa37f10d9f4e7afc59ab5de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wswa.exe

Filesize
647KB

MD5
b639c9b8619f4dcc81249f315ceabf44

SHA1
80a076e6d31550f7753fcdae512ff7d01c58cb42

SHA256
4d75eb2a674d613f1d31489bf63963453366927de39f5e7c726dbd48bae047a7

SHA512
b0ec0bfeb7254733ad60b0bb183e86542f131d808498f94da8eb284e1a1b0fb4025029db56a3f1bcf3d907c031e9df1399fc72562f9016b093f9ebb32ee8f4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQE.exe

Filesize
609KB

MD5
e6d13886cc9bb5228d71743326d8616f

SHA1
5b03afa536b71dc57f0fd2db01ab72c3222f195c

SHA256
2171b696fe1438274ad546d82797af7d7939a722be7a38b5133dc4a7bcf43243

SHA512
69fe814c0f286b5825ba9e62fa77b732ccb7130e4f466db9e4cb8e6ae5918e0a037d1a55f7305214d3260dba0ae8f98a41c4dd0e655714b9d564e80787cdc174

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa5add609a047ea6bf5cf3caca5510d82833d3873dc3e04bd98f1abb5b52b2cf

Filesize
5KB

MD5
5db1dc54d385b2c8ebb1d648ef6a6b85

SHA1
128887c0ff2ecae258b1d9a660ac7be14a4229aa

SHA256
dc7f4b958193ce130195c3adaf86480ab6b5484722d707165c40b865255ac48c

SHA512
e416afcc0057bb1403504e1a3975a77548eb9ea1c8cd9f9df70a4d1c2c6cadf6609a83b69f02635bf2dcd575f85c7633303860b8ca68d588a42ff5c58ee88b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\agwY.exe

Filesize
613KB

MD5
608b1c7d31dd87c318439e46157c9c66

SHA1
655d4382b6369db1b43eac9b784d2220c69be3db

SHA256
6dab7296849cca66ef1d0abcd71f0c16601439befb11607c2d9b6aede0422120

SHA512
77f05fafdb2b44d5fa954ccef1d7b43c75e1552e6ae247e4e3d990b2d6649726555beaf5a94d169e3567ec8cd42a14687795a49c00ca46dc3317515617bab5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoUI.exe

Filesize
615KB

MD5
c8967b280d636c4c55342b9dec668558

SHA1
3b2541361dc3300a2fee56232e071216cda6ede0

SHA256
c9c606e442b2ae12cee75d557a6097b71524ca6db52fa4947ed31f2b6c099f3a

SHA512
b5cb186dbd87b3db703f843ed8decdaf85337d0c9133db2c359fd46bba26c33f6ac6e92149e11970e2412a3b8bf523bd7ea7b869b9863f07c01d490f404d3dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\aogw.exe

Filesize
843KB

MD5
fbd47263ea33ebba01dbb0fc475c2853

SHA1
0ea9c6747dcbdb19be9dd8e2539212b0e4c191be

SHA256
d04fd9ae4824a87410e7e8774e074a7877aa81e5c3c77ee2e39032f7977bf1bc

SHA512
7afacdc1eb7197272f851dcfb37aceffcea5d521526cf866d8e681489102527bda0e61baa239903e488c6f20682b9f4859bffe2fb6cdab0c5aea53051658b7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgIo.exe

Filesize
610KB

MD5
a425d19dad1dbaf9512bbd07959d25b8

SHA1
0d8cde19a56560feba8215a49809e1ca39b11107

SHA256
eac768e9353404aba223a96011ec984239c192a37ce5094d434ae4e961f3b1fd

SHA512
c98d4bb9c6401c13c4f042ca4c37f25e1c8d53b5262351e13639db05781556e3615b84edefe7428a89dbcfb82e662f57b8c0d8fc9db25aad29012a398757573e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUQs.exe

Filesize
611KB

MD5
26c3e169abe4de96d1e75560456479f4

SHA1
3f7645044cb778de144e8c5aebbbd8891d86e428

SHA256
61e0fc6f44d91df6899a7a5030c49173920ae283b5c58d58c0bd394084827b12

SHA512
0bf11e4dd2394eef109fb8be056d75a9dcf17872f3f22f8057f59472925928df32fc0ed1a696d155ad375f3b100f444fd4427dfea5ecd77e6691f38fb126ae47

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkEM.exe

Filesize
621KB

MD5
3ca3f61aa42a43ab1c57aba23ed228ba

SHA1
c75f8f2b32d5cd37a9be1f2ed8aba431cbf7d813

SHA256
02d048cf8177be76fb5ae6b62129a060e88b87d18c47f7363451fddea029deaf

SHA512
c9374ba59f741bcb91541a2782b5762474ded2c1fd80f1e215bc3e75ca6d97294b2d6566fba2e851a895379bd73ca6d33e499d5182a06a478791a937f67325e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEIu.exe

Filesize
608KB

MD5
dd6a8c4cb35f79b6d16d4df787b8794e

SHA1
f0e4fda452c58b92d0d2c8028619430257c999d7

SHA256
fc4e741a7a839e61179a68671988954d0e6ecef31c78d00b24bafec497264e66

SHA512
28262e24ea995c3cc4a6b7784cb3e90e93916b7380dcad87f0df27f9e15b3ea09b05732ef63ad1e85045c1a4da41030f56b272dc3fd9623d160d3e238f32baae

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEke.exe

Filesize
606KB

MD5
e370099ce4e627890e6c6b7142d75fb9

SHA1
d5c176e309301abc8059756de9f04f16fd99e715

SHA256
01d79c1add1b585f1632ee73f10d69dcee0f2102fa75cf61eaffce3c28266ef4

SHA512
63048f92f35954c01e7709456aff166973008f7b0721bab3854efc6e20e43ff4187cf65346530a70b3f20a9b2ab59d698a7f9daf41afdc99f72a4791a811abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYQg.exe

Filesize
619KB

MD5
a4fe93a7aaff2706fb43e15b1220d7a7

SHA1
5a489498f45b72525ada950f7a4368c16a59db77

SHA256
6704e1d3c1bc537dcb265549c4155accaabe4a969addbe95f0440c6cb681c2d7

SHA512
cc7386b31f07c4f93c3ef86b75ab1f7ca1803522468eee6801a52e5d7cc2aa1d6eda404ff9d5173a6b2a48896ca259eaeb5d994ba4366f7930f0896218eee8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYwg.exe

Filesize
612KB

MD5
1ca406f2fd28486ed3efc479006b1e42

SHA1
d9dc14aba4683975aabdbebf69c5fd9b3110711e

SHA256
058efc0b398eeefb9b536f3a974e790044c160b1f1ef7c3498e0cab7dbd3a32f

SHA512
c020421a51967c5b24d0456913e213afd707dec48088b236f56142fc886813d6d6f3878beeb83943979e79c830ef66aaf8fc14c7fc8237a697821be16ccc40cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iags.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioAI.exe

Filesize
618KB

MD5
f672c2211eb4ce590430d13baeda0597

SHA1
57f7b6d9b7259282368daf56412dbcf40c1a715a

SHA256
7f87f33adf59a81ca76d5376ddaa0ea9bb68f50fad410bf744f245d79becfd55

SHA512
310ebffa5f081219c7ad4b56858c21b19bab07fd1799459f5e23526f2331b3f0cc3c8f06bc3aef2df179fd41fd9349326fa8613dc4c465c277d2ab4b50040ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwEw.exe

Filesize
607KB

MD5
92beb674472dad98eb1cf3cf107dc76d

SHA1
91f80b388e976b2f84a46832cd71f640a3022254

SHA256
0f6686cb4323dcac008c36a10968adaa03495025418576ed2d5ab77ff9ad6b4e

SHA512
7e0edb654bc098b0499cef36ad7fe0b60bb80498586cf584d48ce4a024e8a1a42f481771a5a18a1151c234bfe69cff13f5326b477cd1b0abf7cd2ed60f4972e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEIW.exe

Filesize
980KB

MD5
a529d63339aa2e1e54bec78754904b1a

SHA1
8d1fa77222299c6d5d33b7e2cebfa5578e675241

SHA256
ed56bc1e915a824cc9fd4119647589df9a3af6bed100ab4f97e9e3b7d89d2c32

SHA512
b9613f40f5aca31a8dfdb2c3390e0f8f8ab60e8130ea8eb2d687d8c96a3feac88497736fdae67f44eda72df7ee7bfe81d19ef5e10f0cfa8acdbde81991737ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQcy.exe

Filesize
613KB

MD5
84b7ead208f5c1b2d647358255a501e9

SHA1
edf6876f24a62126cc038f5661eb9f5fa1b4f36b

SHA256
ab76d96dded834eee7b5c179fb5341533fdde4119884c6bd23391e0804808c40

SHA512
b47defb01f28406cf064de8564f3b93845611bef311f97c21e4f13f2e6f306f0d31a87402f381b126aebbb22cb75a6410ac12bf0d61d29cfcb3a466571fa0623

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYcS.exe

Filesize
610KB

MD5
e02e739eafff0782b4e71d00fe131712

SHA1
230e8eeccbc93e99d0f666e51cd9b4cd6210e3fe

SHA256
1d5f5b8482e730772179c25ea02e479f9e446bd5954ab249a8983bb9014680a2

SHA512
e7a195bbbb5330534e0e89e46f9bb39935ebd9e4a379f861c1c86182b42bbb97c71f5f039c5ca02bc88fe6d84601f15ad4b0c12831c51bef9081a5d7d824772a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMa.exe

Filesize
643KB

MD5
913a685d366a11c82e1c1743f62571e7

SHA1
c95be88677ade66f9d55969a3863da2db4bc0fbd

SHA256
ae8f7c62f06173e63f01046b55d5bc16b11c9f8d38b4656c490a0a986b7105fc

SHA512
0b911e7998db7ea3c6a7a782510b5c2f1b7ec5704efb3bc91256805ece50e594c5b2a7b4e4846b6bde503dc9e5569a236d9da935e6a4a373710df28ce42ca6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\koUu.exe

Filesize
628KB

MD5
ee68e2ef959e2fe39f01e312feb355d5

SHA1
746a1681f556a09cf202e038ad3e6564646d62d7

SHA256
34972c523bcd04f5a3c2da8d8409369e9ae696a40ee703c35235f86d0b3f8f51

SHA512
ff4fbda65969720b508faabf6cf806d7a9f6c6cc50e55fab91ad889ef1a91bf01cbaeb405189de96d4b97c6a2676bf644c15223398e9411b347fdf8bfd2941ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQQe.exe

Filesize
614KB

MD5
b7a7ac8a82ba86da15230a8395342eb9

SHA1
abcdea6921223f112abcfa42f4c36ac0291e00d1

SHA256
cf1b9538cc9ea30002539932f8131a86b371fd9e6897758012f57e1b56e35e9a

SHA512
cc4dfbb8b7642159820aabe4359aff151a24f9e6cac46e2e3ed9fa497c444012fbba8eb8d932c73e07a26082fe23b80270786f9e583c5230281f48df69e7c175

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAYa.exe

Filesize
632KB

MD5
5eabdc51eb63fe5e91fb76e587f2273a

SHA1
f431f14dc6c026b6b02d34acbd5a629cf302c541

SHA256
a22aaa77762320abcf72d880e7736049aa836aa57bb87babc10948daaed6f535

SHA512
69672b768b47a34e7da07e5f2b0c34e0c166a0e684d64226c554b60c1e3e8a9c175e72913d91d3cd50b75b26a1b7452d080766378c83310ac1b5b84db4c1e573

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQk.exe

Filesize
611KB

MD5
1562cab53a9e9aa33e4020ac1360b9e1

SHA1
ebacf58297ad99340f2075c5db3c82dc9b99ab20

SHA256
9bbcf4fd495ce9b754809637201b73732ed2292e80c7a3cc3de732cf13ef53ae

SHA512
58191d24cb8f48d326837d34f92e43fa62d7fe19eb6036dda9c9eb77cfa4ac9132c15502d9b9f1d544a5e788f8c0dffbe1dd2ba98068f5f5851da776e37601f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEQI.exe

Filesize
610KB

MD5
9d604eb94cd3908c026947cdc912c667

SHA1
06752cc70b74bb6f2afe329ccf2f358b9d6a3be7

SHA256
96ffe17b9e5875c1012d30d662677943398837cf19c64c2e3f669092342b6ea0

SHA512
f89931e7e4430a2d1d384d3a15a8dcd5d9067d7d1eaf8640f324373d70f028d4b3cf7bbb5e8942286144f7d377e067740772fbed960e549cd1cb740eba79ddd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsoK.exe

Filesize
1.2MB

MD5
e7b7fef9e2ff0cc5499a981c2e8b922c

SHA1
60e9b998727eea970cf620063b881e80af941b0c

SHA256
a73b15011d88ea2a6b7ec8904e40e930565afa58e178a42cb904d3f90dbeba13

SHA512
299664ab71354cfb44b137add0b0e43741da785a43fd422097114d86999e809c1a3f7f004ea4367c820100862a3a1e72a19ce6f712ff663aab3b663a504e344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEUS.exe

Filesize
604KB

MD5
11f3392e94eaead50537c50d047cdd1a

SHA1
171e125edf58a4162136276ccffe794b9c18bdf8

SHA256
7a691759a0e77eb47cec3aa79f6285599e1a97bdfdc17c55241a043107d3fd25

SHA512
6c834b0ed16340fa8fccbc6d8978bff45f4a80936e281154c37076eadb57a6a61ec13baef3775544ac4533041bdda0c7c0e94295273b6c4be81a08a05e7a5d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYgC.exe

Filesize
615KB

MD5
8652d8492401fd4bc9f680f3d8cfe359

SHA1
6ba0741083dee2bdcc1a18c6c25b85db5a03d87d

SHA256
1b11dd6b98acc825fbe1da8f4ae281800dfb1ab25f9754d936c6e2764ca7443f

SHA512
7cb4b745b25fbe17c6c664be82ea49c3d4cf0016859782377f6c888df4524c7e4f7ef900e1a6f457e1b80b01cc14ff56e13ff64cdcdcda540975ca4bafb31ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwk.exe

Filesize
1.0MB

MD5
3a1e30cf551e9a8b915e1e49a6217252

SHA1
2be5adcd4364bb546fd8c97c6d7a99d74d802813

SHA256
82c547e5bf0931f5482a6576996dbe334876e5e6b751d2a2fe5c10f7311ce749

SHA512
2879155be131f292c7f7b93882656a2415da541a4d734320b21f80ba4fc87621281f8f079a9a9de47e2bd1a7718c115e1fecf282c3d25bd6e03b1f7bc2648496

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEAG.exe

Filesize
613KB

MD5
dbe3f91658d7431e4405a1d4b511ec09

SHA1
885e17b7d0ce5bb5a3f9f0954554767075a9bb92

SHA256
4125ecc39afb91f7b988f6b2c745790569deec4af893f98d5220512fd5812b42

SHA512
94a8e90813092fb6b184b565e2fcc12984ed557705a3939d4e62456e8f2bf4b88c3cb2a031e9a3ebe249654925c1307d0f29f7858ea97f90b5fcfe15afcdf4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIkO.exe

Filesize
606KB

MD5
5685a5886a90844ff1ea5a71f0045889

SHA1
b0cdc58e8e40cd85221e218b61ba26abe9a12059

SHA256
4955a719b2f2665d9d02a7797b4eff61176fcc5d0e9a6459bdca4cf8ff5d7a77

SHA512
17bf9e64bb07e6d3ccae5b5299571832c6bf32758427ea4aefc8e4227d7579a6984995c1f9bb1aec123c09dc89a0e8924b90b66bc556ae460a77f33b3fbc5828

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYss.exe

Filesize
608KB

MD5
f1356815ce94f8b3c4583a8853cf7b84

SHA1
04b0a47a54450b31d2e2f38a08c8002f8293585a

SHA256
230f31134c156bf6cfeada4aff8733e33d87bdb2a4710067ea9f185df5beed8b

SHA512
4c71b4619869d6f278dde11f37a2037f98ac61b9770fdbbc2f0a7e81ff77a7ab05350a1712adfa2512c512216383a5c75f8b9d88bed828a215baea9c456be354

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkcS.exe

Filesize
611KB

MD5
0f35f79294e2b016b9ab2e8abf5a070e

SHA1
bc2f775bdea9e20e0ad476cf7e7b60944c1a5b54

SHA256
a9e446e097672fa13684e7b415edd634725042e37953f97e46c099e2912bf2f1

SHA512
5b22d7e1e4e4c010120ff35ce19ab67e4686a135431e840a6cff850bc4ec05fee3548fdb7545ec62b5ad714cf202f591acf9d646944a5efabf3d7270fa544745

Download Submit
C:\Users\Admin\EoYIcEQg\TmMcIMIk.exe

Filesize
604KB

MD5
011659df4669e5a8af4b2d51aa2828b5

SHA1
d579a95a5aa3022182db9cbcddb6519f94cf98f0

SHA256
f87f29453f83a2ec18cdaafb92d77440b6459aa2cd742bb2ec379b3b55c381d3

SHA512
8a151a13f09997d8a03a986b620922a0b541dba0f4ede7bd305d996832a770f1d99eac475f0cc6d85b4c301e98c0964c1e93a3f4d55892853f9c36d03cfcb5ef

Download Submit
memory/1332-5-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1332-1551-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3596-11-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3596-1613-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3876-154-0x0000000000401000-0x0000000000496000-memory.dmp

Filesize
596KB

Download
memory/3876-0-0x0000000000401000-0x0000000000496000-memory.dmp

Filesize
596KB

Download