b161c762c5894d820cc10d9027f2404a6fec3bc9f8fd84d23ff1daef98493115

Analysis

max time kernel
93s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 09:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

194KB
MD5

8803d517ac24b157431d8a462302b400
SHA1

b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256

418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512

38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
SSDEEP

3072:slkfrcHVaq65Oe/ALwm19MYDzMLGquSOt+nSmgevSvoWAnvN0bfINcfln8rvK:Wkfrc0q47/UwQFSFnH9SArvakSflnCS

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
41	1920	Process not Found
45	1920	Process not Found
47	1920	Process not Found
49	1920	Process not Found
51	1920	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	aYsQMkUQ.exe

Executes dropped EXE 2 IoCs

pid	Process
4552	gmUUAIYM.exe
1228	aYsQMkUQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gmUUAIYM.exe = "C:\\Users\\Admin\\NmUIgcEw\\gmUUAIYM.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYsQMkUQ.exe = "C:\\ProgramData\\kYAQYUAc\\aYsQMkUQ.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYsQMkUQ.exe = "C:\\ProgramData\\kYAQYUAc\\aYsQMkUQ.exe"	aYsQMkUQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gmUUAIYM.exe = "C:\\Users\\Admin\\NmUIgcEw\\gmUUAIYM.exe"	gmUUAIYM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksQcYUcw.exe = "C:\\Users\\Admin\\UmkEMUQo\\ksQcYUcw.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pkAkoAAY.exe = "C:\\ProgramData\\figgIYUU\\pkAkoAAY.exe"	[email protected]

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	aYsQMkUQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2780	4856	WerFault.exe	299
5068	3864	WerFault.exe	298

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2916	reg.exe
3868	reg.exe
2528	reg.exe
4388	reg.exe
2124	Process not Found
1548	reg.exe
4136	reg.exe
1056	reg.exe
2212	Process not Found
2540	reg.exe
1744	reg.exe
2032	reg.exe
4772	reg.exe
3144	Process not Found
2652	reg.exe
3116	reg.exe
2840	reg.exe
972	Process not Found
4972	Process not Found
212	reg.exe
2864	reg.exe
4548	reg.exe
1664	reg.exe
1064	reg.exe
4644	Process not Found
2008	reg.exe
3296	reg.exe
2408	reg.exe
4628	reg.exe
4428	reg.exe
5056	reg.exe
3452	reg.exe
1304	reg.exe
1164	reg.exe
732	Process not Found
4300	reg.exe
2956	reg.exe
3980	reg.exe
4740	reg.exe
3208	reg.exe
4464	reg.exe
2240	reg.exe
1212	reg.exe
3904	reg.exe
1872	reg.exe
224	reg.exe
760	reg.exe
1588	reg.exe
2744	reg.exe
3208	reg.exe
2504	reg.exe
1920	reg.exe
1740	reg.exe
2416	reg.exe
1876	reg.exe
3656	reg.exe
2012	reg.exe
4524	reg.exe
2868	reg.exe
4768	reg.exe
5084	reg.exe
4428	reg.exe
456	reg.exe
3140	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	[email protected]
2816	[email protected]
2816	[email protected]
2816	[email protected]
2952	[email protected]
2952	[email protected]
2952	[email protected]
2952	[email protected]
2688	[email protected]
2688	[email protected]
2688	[email protected]
2688	[email protected]
3444	[email protected]
3444	[email protected]
3444	[email protected]
3444	[email protected]
4092	[email protected]
4092	[email protected]
4092	[email protected]
4092	[email protected]
668	[email protected]
668	[email protected]
668	[email protected]
668	[email protected]
3472	[email protected]
3472	[email protected]
3472	[email protected]
3472	[email protected]
4524	[email protected]
4524	[email protected]
4524	[email protected]
4524	[email protected]
1736	[email protected]
1736	[email protected]
1736	[email protected]
1736	[email protected]
4032	[email protected]
4032	[email protected]
4032	[email protected]
4032	[email protected]
4512	[email protected]
4512	[email protected]
4512	[email protected]
4512	[email protected]
4596	[email protected]
4596	[email protected]
4596	[email protected]
4596	[email protected]
2508	[email protected]
2508	[email protected]
2508	[email protected]
2508	[email protected]
1420	[email protected]
1420	[email protected]
1420	[email protected]
1420	[email protected]
2984	[email protected]
2984	[email protected]
2984	[email protected]
2984	[email protected]
2004	[email protected]
2004	[email protected]
2004	[email protected]
2004	[email protected]

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	aYsQMkUQ.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	taskmgr.exe
Token: SeSystemProfilePrivilege	5112	taskmgr.exe
Token: SeCreateGlobalPrivilege	5112	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe
5112	taskmgr.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe
1228	aYsQMkUQ.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4552	2816	[email protected]	86
PID 2816 wrote to memory of 4552	2816	[email protected]	86
PID 2816 wrote to memory of 4552	2816	[email protected]	86
PID 2816 wrote to memory of 1228	2816	[email protected]	87
PID 2816 wrote to memory of 1228	2816	[email protected]	87
PID 2816 wrote to memory of 1228	2816	[email protected]	87
PID 2816 wrote to memory of 2864	2816	[email protected]	88
PID 2816 wrote to memory of 2864	2816	[email protected]	88
PID 2816 wrote to memory of 2864	2816	[email protected]	88
PID 2864 wrote to memory of 2952	2864	cmd.exe	90
PID 2864 wrote to memory of 2952	2864	cmd.exe	90
PID 2864 wrote to memory of 2952	2864	cmd.exe	90
PID 2816 wrote to memory of 2832	2816	[email protected]	91
PID 2816 wrote to memory of 2832	2816	[email protected]	91
PID 2816 wrote to memory of 2832	2816	[email protected]	91
PID 2816 wrote to memory of 324	2816	[email protected]	92
PID 2816 wrote to memory of 324	2816	[email protected]	92
PID 2816 wrote to memory of 324	2816	[email protected]	92
PID 2816 wrote to memory of 212	2816	[email protected]	93
PID 2816 wrote to memory of 212	2816	[email protected]	93
PID 2816 wrote to memory of 212	2816	[email protected]	93
PID 2816 wrote to memory of 1544	2816	[email protected]	94
PID 2816 wrote to memory of 1544	2816	[email protected]	94
PID 2816 wrote to memory of 1544	2816	[email protected]	94
PID 1544 wrote to memory of 4100	1544	cmd.exe	99
PID 1544 wrote to memory of 4100	1544	cmd.exe	99
PID 1544 wrote to memory of 4100	1544	cmd.exe	99
PID 2952 wrote to memory of 5068	2952	[email protected]	101
PID 2952 wrote to memory of 5068	2952	[email protected]	101
PID 2952 wrote to memory of 5068	2952	[email protected]	101
PID 5068 wrote to memory of 2688	5068	cmd.exe	103
PID 5068 wrote to memory of 2688	5068	cmd.exe	103
PID 5068 wrote to memory of 2688	5068	cmd.exe	103
PID 2952 wrote to memory of 2744	2952	[email protected]	104
PID 2952 wrote to memory of 2744	2952	[email protected]	104
PID 2952 wrote to memory of 2744	2952	[email protected]	104
PID 2952 wrote to memory of 4924	2952	[email protected]	105
PID 2952 wrote to memory of 4924	2952	[email protected]	105
PID 2952 wrote to memory of 4924	2952	[email protected]	105
PID 2952 wrote to memory of 2584	2952	[email protected]	106
PID 2952 wrote to memory of 2584	2952	[email protected]	106
PID 2952 wrote to memory of 2584	2952	[email protected]	106
PID 2952 wrote to memory of 4184	2952	[email protected]	107
PID 2952 wrote to memory of 4184	2952	[email protected]	107
PID 2952 wrote to memory of 4184	2952	[email protected]	107
PID 4184 wrote to memory of 1908	4184	cmd.exe	112
PID 4184 wrote to memory of 1908	4184	cmd.exe	112
PID 4184 wrote to memory of 1908	4184	cmd.exe	112
PID 2688 wrote to memory of 1968	2688	[email protected]	113
PID 2688 wrote to memory of 1968	2688	[email protected]	113
PID 2688 wrote to memory of 1968	2688	[email protected]	113
PID 1968 wrote to memory of 3444	1968	cmd.exe	116
PID 1968 wrote to memory of 3444	1968	cmd.exe	116
PID 1968 wrote to memory of 3444	1968	cmd.exe	116
PID 2688 wrote to memory of 760	2688	[email protected]	117
PID 2688 wrote to memory of 760	2688	[email protected]	117
PID 2688 wrote to memory of 760	2688	[email protected]	117
PID 2688 wrote to memory of 972	2688	[email protected]	118
PID 2688 wrote to memory of 972	2688	[email protected]	118
PID 2688 wrote to memory of 972	2688	[email protected]	118
PID 2688 wrote to memory of 2148	2688	[email protected]	119
PID 2688 wrote to memory of 2148	2688	[email protected]	119
PID 2688 wrote to memory of 2148	2688	[email protected]	119
PID 2688 wrote to memory of 1740	2688	[email protected]	120

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\NmUIgcEw\gmUUAIYM.exe
  "C:\Users\Admin\NmUIgcEw\gmUUAIYM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4552
- C:\ProgramData\kYAQYUAc\aYsQMkUQ.exe
  "C:\ProgramData\kYAQYUAc\aYsQMkUQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        8⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        10⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        12⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        14⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        16⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        18⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        20⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        22⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        24⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        26⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        28⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        30⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        32⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        33⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        34⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        35⤵
        Adds Run key to start application
        
        PID:1016
        
        C:\Users\Admin\UmkEMUQo\ksQcYUcw.exe
        
        "C:\Users\Admin\UmkEMUQo\ksQcYUcw.exe"
        36⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 224
        37⤵
        Program crash
        
        PID:5068
        
        C:\ProgramData\figgIYUU\pkAkoAAY.exe
        
        "C:\ProgramData\figgIYUU\pkAkoAAY.exe"
        36⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 224
        37⤵
        Program crash
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        36⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        37⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        38⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        40⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        41⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        42⤵
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        43⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        44⤵
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        45⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        46⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        47⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        48⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        49⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        50⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        51⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        52⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        53⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        54⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        55⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        56⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        57⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        58⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        59⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        60⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        61⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        62⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        63⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        64⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        65⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        66⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        67⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        68⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        69⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        70⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        71⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        72⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        74⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        75⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        76⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        77⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        78⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        79⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        80⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        81⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        83⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        84⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        85⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        86⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        87⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        88⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        89⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        90⤵
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        91⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        92⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        93⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        94⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        95⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        96⤵
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        97⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        98⤵
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        99⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        100⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        101⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        102⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        103⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        104⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        106⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        107⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        109⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        110⤵
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        111⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        112⤵
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        113⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        114⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        115⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        116⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        118⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        119⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        120⤵
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        121⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        122⤵
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        123⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        124⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        125⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        126⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        127⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        128⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        130⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        131⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        132⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        133⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        134⤵
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        135⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        136⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        137⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        138⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        139⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        140⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        141⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        142⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        143⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        144⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        145⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        146⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        147⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        148⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        149⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        150⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        151⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        152⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        153⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        154⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        155⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        156⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        157⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        158⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        159⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        160⤵
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        161⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        162⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        163⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        164⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        165⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        166⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        167⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        168⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        169⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        170⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        171⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        172⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        173⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        174⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        175⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        177⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        178⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        179⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        180⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        181⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        183⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        184⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        185⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        186⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        187⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        188⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        189⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        190⤵
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        191⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        192⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        193⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        194⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        195⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        196⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        197⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        198⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        199⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        200⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        201⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        202⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        203⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        204⤵
        
        PID:2868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        205⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        206⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        207⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        209⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        210⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        211⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        212⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        213⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        214⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        215⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        216⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        217⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        218⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        219⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        220⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        221⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        222⤵
        
        PID:2700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        223⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        224⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        225⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        226⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        228⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        229⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        230⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        231⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        232⤵
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        233⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        234⤵
        
        PID:1588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        235⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        236⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        237⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        238⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        240⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        241⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        242⤵
        
        PID:1296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        243⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        244⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        245⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        246⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        247⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        248⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        249⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
        250⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
        251⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaIIsIIk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        248⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqccwAsg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        246⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqMswYkk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        244⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YskgEwMI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        242⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymUMAIUs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        240⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMwIYQcU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        238⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jewMQEoE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        236⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HywcgIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        234⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASMUskog.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        232⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gawwoUss.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        230⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCAoIUwA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        228⤵
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSkMAksA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        226⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuMsggcU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        224⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pygcgscw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        222⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIMUgcQU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        220⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiIoMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        218⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUoMQQUI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        216⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEQMIoco.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        214⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gicgQIEE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        212⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huAggMUU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        210⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWckwAUU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        208⤵
        
        PID:212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyIAQEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        206⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQMIMkQw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        204⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYoQMIEc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        202⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEcIcwkI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        200⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCAEwkAI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        198⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOwEMIUY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        196⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqIoMcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        194⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:1836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGUoIsMI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        192⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwIQkwoc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        190⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYAEQkIA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        188⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skYEQYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        186⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CacQoAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        184⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeUUUIck.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        182⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGQMkQcE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        180⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmcUokIw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        178⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKAMEAIc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        176⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaIwgksQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        174⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGkMMkQw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        172⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEMoIgkE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        170⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCwIYUsc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        168⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCQMIAIc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        166⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKQAEwsg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        164⤵
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOEgAQUI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        162⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIogUwEs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        160⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiIMcMAY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        158⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCgMQgsg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        156⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOQMQYsA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        154⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEcswgEc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        152⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSwkwUEY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        150⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiMIcYEA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        148⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEkMQYkM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        146⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIgIUskE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        144⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKsUwIMw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        142⤵
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQkgwoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        140⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEowssYw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        138⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqkwEcso.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        136⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKgQUooI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        134⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSUgMMoc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        132⤵
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWwMEEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        130⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaYccoEo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuAgswEs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        126⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGcckcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        124⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceAgUwIA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        122⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaoYsgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laAMEQYY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        118⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwAkwAo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        116⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEgssIsI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        114⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwwEYMQY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        112⤵
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uckQMMkI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        110⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swwAMwgY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        108⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQcMUgkU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        106⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKoAMIQE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgwoAQEg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyIMIMYs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        100⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGoIsgYk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        98⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAMcQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        96⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywUcgcQA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGAYsQsM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        92⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqIcMsEo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        90⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyAEgwoY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        88⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSkQMAEk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        86⤵
        
        PID:3232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmkAoAYc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        84⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgwcQsQw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        82⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgkMkcMY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        80⤵
        
        PID:212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKMgYYco.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        78⤵
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSsAAgEg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        76⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQocUwYY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        74⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUMEYsYY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQoUwAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        70⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoAEMoAo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        68⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiAUAgEY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        66⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWYwAcgA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        64⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMksoEkY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        62⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMEQwIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        60⤵
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGUEckgY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        58⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCQgwgko.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        56⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoUsAgEk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        54⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaYgcgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        52⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSIgEsQs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        50⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMQosAsI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        48⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fscggIwA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        46⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGUIIQsg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        44⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCUcwYYc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        42⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuMYwows.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        40⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsIoUIYM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        38⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmEIYMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        36⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGcMYwwU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        34⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqkkgwYw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        32⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUkwAEQc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        30⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViIcwoMs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        28⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiscIAAs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        26⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoowUAso.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        24⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OegMskkw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        22⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCMQsggI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        20⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWkQsYgc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        18⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGEosckE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        16⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkcEEoYw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        14⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMQccUYg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        12⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSMsscUY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        10⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\essggMMw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4796
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:760
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcAsYcok.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
        6⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMYgIEsk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:324
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsQkUkoU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4856 -ip 4856
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3864 -ip 3864
1⤵
PID:4460

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:468

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1664

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kYAQYUAc\aYsQMkUQ.exe

Filesize
201KB

MD5
b8d7ad0dccbe9ad8f7923b79e684766a

SHA1
2f5a80b108b79707f47b3b8181cba7b6ebaf4ab0

SHA256
63e478213250304ce489f4ee1bdccaa29d5515f9838748b43ca07a352922872e

SHA512
2ac681d5742da2adb12d6de879a700bb9a5fdb04657f722bf826ea8b8ed9a83d54e1f2c8248673a01cc4f39b070a594aba7296836477d5ab538dafa543c7053b

Download Submit
C:\ProgramData\kYAQYUAc\aYsQMkUQ.inf

Filesize
4B

MD5
affce498414d07c3401bc1ff16cd12d5

SHA1
a5d676adad15c6b40cab135880cde5bd02ccc718

SHA256
980aa9974f5da46a4fa5b77e9dff4adb247805dcefc3732c8ede9f5ca46971cb

SHA512
7040e79554c1616e6691f12612b6aa1458221ddc450845cfe66116dc0b03e9bfb316fcf00e8a3e075f54f53023d34c01337ce75733e1ebe6964283479d0b0e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

Filesize
196KB

MD5
1614bc5b48853f6923c71685500dae1e

SHA1
4486bc932378750f1e5689d67c9a56cad8422bf7

SHA256
df506d44da000d3e29ae8b0b1c39d7a07fe622caa10c140cdeb79e77601df886

SHA512
ef088e259e6ae7e69a5a399b398f5650b52f4bb9b58cf297bef7c182a887d8aefde7091158ed4cc02c1bd71a4cb7ceec82fcd8a28cb5a78fecfa3cdc45c3fddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
189KB

MD5
0fdbc930485243a0de6c57f11366b1ba

SHA1
6d0b58c1811b2cb202916f79fa980ccc2a104735

SHA256
f30379ebf00858936724edfdec2d8ab8edd2ffeb50fdc00b50d51090c82578fa

SHA512
0554c9acb7437c15360f2c0125237655c3fc92fc8645ae00e87e1a44c71027c96d3f0d753e13b7f4e15fcb458619359fc3170a0698bf60ef3e9c8fd042c42e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUEo.exe

Filesize
205KB

MD5
9688497626c3a9bf13b2ffbdefd7ec4a

SHA1
907cfa87d9468b8431579e2ef077af4b3e9aedde

SHA256
13dfd35a84a648e4cd02a3f015ce9ec36382e9d39b56619acf3fca1e6e0c6ef6

SHA512
e5ad6b17085d57ccb15b3e7abdec8318440d637c9bb1d5e81112ac4b85785aed8e2d998c1d5a13acf5e598d7258e76cd5d98a7847bc76338ec75872b7b569af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkAq.exe

Filesize
240KB

MD5
52ece9fa7977ef1456300577c8b94714

SHA1
5ad9c2b5b58a3a2b34add7de2a4393c15e1560c5

SHA256
fbeb573b5c53e9f4116b140df5fe9bb21120859a22b22a1741e051cc27dbd6f9

SHA512
0ac30a9473656c79bbe6f96d918c4b05b5f06fd5ade6702f692cbf4f82fa8bbc6ef996c58b24564035d23c601b040ba7f14cad659737f862d346e05f3694cd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEIM.exe

Filesize
827KB

MD5
62671947654fa6905e3c183109634fba

SHA1
a121d6a935f739a0a3e7337e93389e71acfc56c9

SHA256
c38c5ab2632593638e10244989bda08a01310a6372a144c4d6c05d0a2a7bff3c

SHA512
c8c0dcda135edcdc0183f4f7adaf5862743619f0024ceaf2d2266161cf9e54995957e70566935cc52d50f9c46263b9eb0f7a2b6968b2098886daa1a2f7831f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEMo.exe

Filesize
203KB

MD5
17877bff37f23a3a7dbe046d57f6b643

SHA1
3372291c6f64973723a04ac7060c8397092b70a9

SHA256
6dde93e07fa13e7b20dec70e9ec1c5fea77c33447f3155c0e7eb6ac07af267bc

SHA512
6aeefff1a2079c40ee571c01b09abaee215073c0c8d30e55489e843ab8ae86c3875704e9918c82118686949e54790f880b023d8ec006489eaea041c2fcceb5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYIs.exe

Filesize
1.0MB

MD5
e796917684cc4591a7545a0bd5399f8a

SHA1
da222e8b20eefcdbfd79b9d6965b12f6c11cb6cb

SHA256
5c43088a5a8ddf8034cc8e20afda5720b6b5d49472cbafea71d41acf9e2c1f74

SHA512
c584556c50471876d349e9969e28ee3882ac059593cdd308d2a2d1feddb7a91f3a0a2c787ff5ed3193a14488dacbca8a27db1c0729fc10a92cab8d77fa3b701f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwg.exe

Filesize
191KB

MD5
c93d56d102360cc8f11f0c316bdc9f0b

SHA1
a9de27fd4638117f03479296c57498809d306ff9

SHA256
9da11ca63b930c6d007a41535833d774b568c9cc76cf9d1e6a1094ea91d36925

SHA512
cf9ada7e50488b70a76ed3b96a90048b6e6a35809bc8deb20ffac99526836fff1520d20d9d8222a0b32934cd8126dd58a6d2d1af277e38911fbcb7226b0e2dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcMm.exe

Filesize
5.9MB

MD5
a10525ef2a0115dc7ed802f38a76ea58

SHA1
656e261f8ec3e1cbc35387d6907d4df993adb1b1

SHA256
c2da53423dc60eb0555b4b508b516cc027494b62ff17a065611947b99b334506

SHA512
5ffb74e3b501d1f569da9b84e59ee3dac8444fb1cd325c6474425dcad7faa23fdbbd4080d225943e07714288cedc8ae380ed953c35042ce73a6cde6f282adfc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwEs.exe

Filesize
786KB

MD5
6fa34b0fa24f05535eaae72927eee519

SHA1
3334508814599d00b7071b3ba001ac5a2139b84b

SHA256
9247032e1c0398462a07822542435102dfe0d4aa5f6a5d6c102a78f5aa841ec3

SHA512
6bd8113e71216fc907af1eba14306890ff0a3c1277c9f6846152c0abdf2d2befc187ca2b899a69be15788826239b53e08aecf16d5e33a847d835501d732ce9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsYS.exe

Filesize
182KB

MD5
da1ce34e06388d181e3e17ce62f635e6

SHA1
b3ab9ef1f05f6879d4e0537117a867c48644e187

SHA256
f8ba87884077122772870d79d9155b4dc862620495d8a08061a2cffb7bbde227

SHA512
6e1e31d43e8501108975a45b4191eb09a865fb738c62d54534d8416fdfef28a678dde77e8752612784042bde9f3e15760ef2b46589681ccaf396680915bea4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esky.exe

Filesize
202KB

MD5
6e20df7dcb4f06b00e6e937e458b788a

SHA1
3a257351d0fa30c874799641bac4b1f2e9f04719

SHA256
4be81a858b7a2006ef178a9d25ef6e9e5f1121c7dbe906b6b391652d6c69a4a0

SHA512
e96bff4fb7ac59cb74fa3201a11abd67b8737fd08dd94799606af5da6ed7cdf935220fafa8fade89efc73ba9d5cfb4a8148638a7eaf745fb52c71103f137178d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUA.exe

Filesize
637KB

MD5
12dd7279c1b2943888fb962381268735

SHA1
2fa571e41791e6bb157e2b99ffea4cbce230166f

SHA256
ad5a8ff4ec9eeeab6afe9e58d80b1bb09481f3313b24a014bd34a2de64aabcfb

SHA512
0d8f0c87e266fa5c2b852fe4a69cc720d8cf5e724a105dfab33b1b1ae405e8cbf5ac766fea323e6e1ed93eab146af0c096dcaba82d35cb23bccb5c08a90b2f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMw.exe

Filesize
194KB

MD5
2867d2fe8a52a65f08df87a9a1a203a7

SHA1
8b3981b821e869c26220972c6e06037af2316a3c

SHA256
ec48350a7c9116050c572b9fdabd8a9bb8ecb48ab22ac5669bf8a96f264fab29

SHA512
93ed5477e9ec0b58acf0c0e0d1173c31449344fbc07567edad90a351178a010558bc9a74f9f66296e82aa22b5e4416cf37550f66f257a9233a56ea4e6b65bcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYoO.exe

Filesize
181KB

MD5
df3a1432ac79236c5c8e14acc72eaa63

SHA1
ba6ba9606ec659d2b0e47c8c525108f0711bedf7

SHA256
6c28085f9b5c8c2cb69b8c661338038d0abb1beb019825d7d8a752c3072f40f8

SHA512
618efaa842303417e3083f7fc88a20a7ab94d67fb5890de073d1a6c6453e6cb214610cc078d98ced37e857a3fa1829d664ef4f2cc40111353cd043b145560630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gooe.exe

Filesize
199KB

MD5
1caecf2e7c368f28d1012e836d3f4790

SHA1
b7d305b6d2231ad97ee6948a0db615a29e59ed1f

SHA256
a9585954ea70bf5062aeb2277b10532ffeec6a82e17b49eebd7f531c3ab052ff

SHA512
40962cf53a481247a3a23d5bd94be2581d14c4d27e48d511f12b2832b1d1bd96560393a321a002bb8c1222c2bd8d576a7f8462c4d1d0dee51b5e204628e5def8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEi.exe

Filesize
1.5MB

MD5
4fc00769abf3920bac8b7222abe16643

SHA1
5fbb10a62847ddb1ff4153227d877b292230ce4a

SHA256
ec32af7c290321ef558200e1525a6d64768d07afff7a371f376814e7b2c524c2

SHA512
03f0ac2f1fbdbf50adb6053e5b301a2a93b07b2e800dfef5a12029448100c5ce96c47218d3960fe80a484ee19ec661a53c850c15e011783c980c8e06ace984ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAMs.exe

Filesize
205KB

MD5
f6b2931dd2baa39abc195f5cdc551452

SHA1
57d3d6279569a750266ad72a41a672edcfabfda8

SHA256
8adae65985e12977e64bdd00798d3512cc9dca0fa43923f44b5c5689f8b8e11c

SHA512
2e72738c5842461c0e0e3be2a13ed843c6d2e14be0349ec70c23ee82b92f8d19045ea6610f37a2a93291a3613363c9073ba85388725ebf799fac945f86476406

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUE.exe

Filesize
311KB

MD5
447f36df5a60afb120d9783b0e0aee2e

SHA1
b6030b0919a8b47086825bc3cf40fa0f331d67e2

SHA256
24751ffe093ce5a93dc1445581b7bd3f695cb656114351774938ce4b49ed8e5b

SHA512
d5a53abd985d42fca2803fbec0e5b84a48f4ecf1db3ed6ed85493c155f488b0adec26640d4c56ccc886a0717f0a2d36e6da87ef682e604f9c711bf9823c05bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkg.exe

Filesize
207KB

MD5
fa3cd6f552b73202931c13c0c819b7c4

SHA1
ee6302f37892c401b69c38c1ec58cfdfb3633680

SHA256
273c9803abc0572dca702e7abea887ee6f355ab2d99bd640c1cdc5abb686e288

SHA512
471b9075323b4f05608dd4d656c7a5ab05dad515288027a798c777b33a49bc70bb9118c05df2d8416e76489adb17ecae75e5affb5fd246bc6fb076c7905085c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsYO.exe

Filesize
197KB

MD5
6a03aa960f4069027554ad242d9a1e5f

SHA1
ec2f0c85a16faeba88ebc9341a095716f3c3b367

SHA256
5ff999971e60e40fd8a78396f2eee2b025bf522fd5a356fc33ebe087e87e18b7

SHA512
6c7d9475a81061909a60a4270f3509712c3727338425fde4c29f84127db6048e3afaab626f2a92269b314adde1b362291c192279aacebb59e84636cd53af2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUQe.exe

Filesize
193KB

MD5
f779e781bc11d033dc01d627d0dd58a2

SHA1
250dd0bff7e70a1e8759162c1062edaee86da6ed

SHA256
cb764c21c73fc1013d287ac998324ccfe93550c7d93b86d9b57f86a0040c46cb

SHA512
ada7bc710fcab023b46f963ac7b9ac6ad043ded8b96946a06f812e2546740d31f64a4ef8b1b5cf4e6c5c808c944845fbf62c4d5aa2cc644936fcd6ccaa062d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\McwK.exe

Filesize
183KB

MD5
0dbd0e8fc85846f134edc2e772d5df60

SHA1
423d6e0dfe0f309f02d439944d8b441bc8856f2b

SHA256
f58894ecca72f61c10d5a7b0a989723bc2f7721dd7f55694901cfb8a2e33bc5e

SHA512
d81ca20ce2826c96883df798ecbbdab427235c6f1c22ddcde6dd6d0d6c78a720cbb128f8bd247c5a93f936234ad07ca8d9fd19be1e586f8520d26748fdc3a445

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQwq.exe

Filesize
187KB

MD5
e5f65c3a954d9b73d465288651f0537d

SHA1
6cff92499a26ee60bab880f621b938a226a11600

SHA256
d17c31a5e323445e17472cd76b33e21754c42bba1c9296e7c012d994c8446602

SHA512
24456249f310ae7b995d07493e13bc3b5afaea876d152d580ad18d95c3c97a6e91225538ae77aeebef85a9c1b4ddd55b78a2c0f7ae260f6a75dd0e92a3788298

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkMM.exe

Filesize
220KB

MD5
6ecad3df9e46be3ac1bb2d707b090d61

SHA1
75274b267c8c8b042cac19216838bfc2fd5ae8be

SHA256
e8e3368fe5f7b922f08c2249c2db8e475af7cb16250feae444962644671dcab8

SHA512
1fb55159ab83803d7ef8578c82e1a4bc6520690712328c82ffd4978d244306ff5cb78db12ebaeae933dc586fdb6e04085b5980cb84244b84e63a63ed04389e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEo.exe

Filesize
813KB

MD5
a367d5a9e44b4a4650245cff3f6dd0b1

SHA1
2186f834d2ea88ef0e9dcc806481be28c4b192f4

SHA256
8f1e3308fbaf68a02c28af00fa526d382c699806525aef2340283ca22a40d8bc

SHA512
ce0c16a45038af588f2b8907d4b8b9f23e92d9ca487d35430efdea287d2074411c0a0d2cc59427df699891aa4c1a08821099c44645e420fcb8ddff775c6a85f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwQq.exe

Filesize
197KB

MD5
c3d54ef84f3512344ac1df018093960c

SHA1
18c09bd0a1bd02d5f07dc2f4130c7a74c3ca77a2

SHA256
c5dc55322695add98201ccb198e279e9c77a460b6149215f3a7ecd0071ce7ad4

SHA512
ddeec023e8c0f5bbce9d2b3ac11534592b8ca0519fd8f66b7f6069a500a26449893b024e731752ddfc442747bea76d7fe05ad5415f4481fb3e7e95269fb6c2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsQkUkoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEEU.exe

Filesize
196KB

MD5
386c777757fb2ff010ebf0e289ae367a

SHA1
6f14e9184e0a509e49f0685789e01741e89e0ed8

SHA256
c6751ad0f6bfc52ed3f52455ff73bf2d116919d3a93c768d357843e355dde171

SHA512
193226f8cf8cdb9e9b63a5218dc04c864753119a8ffaaee0516bcdb8cc55870015abea2f937b4ca9b4f97cb2ddc87bbeaa4fb05679116568d9ecb34832db18f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEYM.exe

Filesize
202KB

MD5
21054872417c41c966c96344567d4164

SHA1
2c6b1c3f38e066630d8b809f7ae5c2ceb2618669

SHA256
121759efdae45fe76bc67d8b6c03014c77f1519bddf17885230882abff9c0d05

SHA512
61db33ab1038c5c05e5e56a89e427af4ce00d292a51c8b0079ff5aad82551e7d9bed2e8c9b5dd1fcb1f676d7372b6eaa09b0d5fd50f014db383143a44d5afcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgwk.exe

Filesize
208KB

MD5
8c155e684ca7fb1fc8c8dc92a4e9c04a

SHA1
a35f748816dbfbe34c4d9fa83bd919f3b00ba2af

SHA256
81d6e19ab0cf47de7d54219b41db79e023dfb261316252a97d0f9e460089fef2

SHA512
24f9c92f3538f1cfed15a15eee88253df5e73e7a3d495743de720a286945d403b5ce77c4e4caf5553513c2e7dead59814fd2b7b85192c683f7984e478f397c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUYY.exe

Filesize
229KB

MD5
752b6ff1725a89ef95295da18921f0ca

SHA1
671770e677c8221a9bde2341584ad3eaeaef9c60

SHA256
8e38d5979846942d0cec4a0acaf057522224e26044a07eba476928b3602b61c3

SHA512
1b406d81586879107c10bd827c1f1e6be04dffce812905d9507f1f1db58c9110b87429667d24cb4a9b5afe9dbcfcb477836616f99875bf02bcffaba7e5f161d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUwM.exe

Filesize
198KB

MD5
67dabcef028bd881b1dbaa4b83f4a331

SHA1
b0fa5b99792cb560e9ba5727bc90052093ef2139

SHA256
14691e965c59f7e2890cf38b9917bd1899422d88479330f535ab8b0710516424

SHA512
4d0eafd8350f8b8098c0cdb4d952da767838fa0eb295d152b5ed4306f32ad2455501361248f76b1af8a27ff2f3c18c23cff558844bc7b144db4f5ce0b35d6a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYIm.exe

Filesize
188KB

MD5
0f3a337d9e7849d7855b6a7d83f4f627

SHA1
c6779e8af277a372ac4c8f5363b2f627ac7da608

SHA256
09649ea4c1a292cf5cb4e8aa9bf973df4bfec27f5cf8316b678ee4df39d28cc0

SHA512
04850ada42e42981cb3d01c65160cf8da4f1fa0a81d7cec73eb424f98bbad3c0bb11d4c65861a11d9f4adcbb4cefcb296eaffe198cb8924cf138227cc6159cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYgm.exe

Filesize
321KB

MD5
3795adb887eb9d3d6942528ac8e95cf7

SHA1
293fdc64b4a6eebfd31c54d9bd68b7e90871ab8f

SHA256
2219e47162a5fccd1e2bac472a142407955489e67175db0bdfa61c59b2d49c43

SHA512
1e042dbc6440a71afd623578dc80dfa251f767616b67ca807abbcc2b749dcf2ef43d4de4690e87ea1af1689995b149ac6caa870fc3ea977d25e122e94d88a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scwi.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsII.exe

Filesize
230KB

MD5
895f86c6c829b510b60e850165d3ed2a

SHA1
e66f03fc8e12d2d5ee6476e25fda275072b0f3aa

SHA256
9a5a4c6d57a804e745379cc0f3a8f218fba64c6efdce40ca5e8c2718beca8fb6

SHA512
49a4b62a0f25103090d25688d89570d83103055c9a5fa535b2bf2a696a86cb99c4c0c1ee46464fb1305167a96e1fa045b8af8d09fe0808c10c97f89de410b5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAQq.exe

Filesize
574KB

MD5
58656f4e884b62499784134f1cd5f4ab

SHA1
b38f18473d5b1e6a169b667d0de4212c6bbf9fea

SHA256
0d180fa7f361ec57a4b0a61682c9962f75ae644f37942deeb882214cfd189746

SHA512
00d50167298c538554a154697bbbb4d5a4b6f5c343391fe5607f7a8fbeab2dfc0f5157c8033d0a10962675a7d2f9ac145dc89afa7a192a38dc296d89ef0f671f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMAu.exe

Filesize
653KB

MD5
0d02273b17a191d6175d66b94399cfe6

SHA1
1ff8761c33477c53212165f56b38c1534cd0acdb

SHA256
9795674ca905b3581d525a2b4a76fb9933607eeadf98bccd7dcd3808608e4316

SHA512
e25bdc6dff1673dedfc8f077721331d3aa61c51268061fc569a5ed67ba587937ca068017a3df9f6e6a52aa5265fd0a91acc20ac0729b0fef94f5ae6c9ba2dea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMIu.exe

Filesize
1.2MB

MD5
4b662c7280fa02f2b30e34722026c326

SHA1
acf60236cfcd6b5f0ba1e25a1cdebfad20639722

SHA256
95083bec234cd485dd1fbe7ca9c23bb3634b3468bf0c6ce30274d794450bc5e2

SHA512
2990bd646a1e70629a82445e8a500c0916d2922e888d9882a64146515a1e08638ea1ba2899dc2cc22e0b1e2cce1211a8fb332dbba1e18461786d3e433b30b21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UccK.exe

Filesize
200KB

MD5
1e67002030fa3d5b0ac88f75a8dcf5f7

SHA1
68b3fe138d1f003162ba9a32874e101c8903732e

SHA256
78bd2666770ca94ae650a0fe5a3323d7ef3b5495fa5be8ced883c61661728f3f

SHA512
866d5ff64ce500dbcf7425e6721aa12e82c834d5ec1f343759900b43ac83f30f9aac2273679ec08488fc200619343c4c9cc297b2a2e3447e73394ad10afd03c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UscA.exe

Filesize
1.8MB

MD5
82eec0e0e80c48d6a94630e59a8003f3

SHA1
9ebe3122991c130219251788e1d97b7324d196f1

SHA256
fa018b42bb85e076ad22ce2d5d7cef4c44c5c71d95a0846eb9d2d9fc67424412

SHA512
3c769131a294b56940d1efb309fba94fd802aa0a20a3c69ed003348c2cc02b062d274a19a790f5c314ab6bb959a741722fafebc641bf2d4816724c4e37205b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEIy.exe

Filesize
197KB

MD5
d319c2481199d4e0d69b7f58c6f1e63e

SHA1
77c486acb569cf227989da969a10e8cdb5270a38

SHA256
7e1fa4cdfca25eba37127c5c13b358887433a2c76a0939dd6a0d81fc76490779

SHA512
1935f7e12a828faeffa3508032674e39d7a076d9a3a72c85f2f21b66f82ad57224f2e00ff67a45a0aa918dca0dc5f2a24b62ceb203c0963c38e5a65af92a4b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQQc.exe

Filesize
193KB

MD5
05ee31cd09bb6a99c9f6e76a4ea84e5c

SHA1
39ff7fb4f68363a169a39335ddfd73aba77a26b3

SHA256
bac4b2f0d913f9780b6703e6e4952a9a399d9bbd90fe67144439cb9598cf0cc3

SHA512
b5cf6279971dcb81c9d260d702f9c41b46c775e816f4d7be7c9c49542c4902eede929213a1c76e6d132f293f4f644d704307f9a48978ccb5e3d857d331ed4bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQkU.exe

Filesize
196KB

MD5
8822e831ef7f6cb2ad3e3812d9068ebf

SHA1
682907c9d31b2ebcd0a2d371f9b92b968f39b7a1

SHA256
c674ff6163757e7a72bb677ea976a5cbe53a5a7a59c4f3e6dc0873ffb196882c

SHA512
ad265fef93d309687a75bb2a5d472048335ec2f6fdf9b4b2b430b3b11041926ecc91189214d4c874b6d9ebe3054b725f6bd24da51130faec3d04a887c433bb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQkg.exe

Filesize
181KB

MD5
d458c0573607c9d98c6b175faf8727e4

SHA1
919d3e41ea0950e07bafe109313df609c022bee9

SHA256
4ff58f7e6451190d0995ec88517f3117a0895faa89cf3bc295608b42e6d3beb4

SHA512
8a4f36181d44c877c01ad3e5a6bc88b1e22347f8cd6b083d8bca118af292cf0622c76c4e6d5df0232c92848566ed5f1abf1b78417955e46adc3d52d29907b54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsYo.exe

Filesize
855KB

MD5
e5cb9c0b9d1737ed2dff5c27d99873e9

SHA1
e904506f0b38fa528631499f2d96fb4eba43aa8b

SHA256
ebb795ddaf4462404304cc0381fb0865c3eb7b57348f72cd92eafd0dbcfe819e

SHA512
ad3c7d55d6d05eb3fb5aa6f63ed694513f743100df9e8ab3ae6b09be7f71362b1761f6e8f272e1083b15dda38ca99cc8b623b830f65fa5651479730214584f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEcO.exe

Filesize
226KB

MD5
9f37b88352ced373f6ab48f478062ce8

SHA1
178778fd88d158fb7be40a9b6c35be86a41097c2

SHA256
27edfcf1d7fb6649ffe5fcc7d5ee5488d4eeabafd3a79f21334afe565e11b616

SHA512
afac199821309d6798cfd0e7d6154b1e68ad3e6c19853480ee059e7434c9ee68bde7a7a09b2992b075b0967e0ffa7f295076f9072a6a3630349c03f8c0bf83b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQse.exe

Filesize
197KB

MD5
49009efae8c0825d2070e8b9324954c0

SHA1
6c762c9bb31b5abaa0948f4d0761c09e913aac84

SHA256
0d432cb4de3534e5cb4e1ea0514eed579facb23cc575f6779f603d070b0ea11e

SHA512
ce3529dd726b6a3b4a95266ac24e75adaced53f4e271c3ee779257e0ea508d52486b451cbb62bc0d95097599689826224afc4bb6b168ada658ddb8eb21bc0426

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEO.exe

Filesize
227KB

MD5
14002f36f17330f1cd05891f46c49431

SHA1
b2ba35da1124654a6ae6861b6d6be035f4bb0112

SHA256
46bd6bd79da0fe9c8644198aceb1c207cc1ba713ae33c84a44346706e1a0efc5

SHA512
e6b015d8ebbb99610a28d8005dbd82c10d190243ef91bf074a507e999f6118f098116ae0cca1a08dd5262c1f1e8681bf75e37748ac10fd1cb11188ce34ae8123

Download Submit
C:\Users\Admin\AppData\Local\Temp\akIA.exe

Filesize
196KB

MD5
16eb1501bcdb6d3dcaa9fcd18f819fa6

SHA1
aeb8d38074437f2d7470f0a63ba3dcea02a3fc3b

SHA256
5dff493cd5b404a218ad0fe352f0ad899e976954ecd76b9fb3bf0382e48abda0

SHA512
d8d235d508a814cf7137f9e731d9f64cf5255b4ec21499750dcbc89be58565449593218b4ef3271c40bb0a7d1beac10eaf67b6a52d2ae1b3139ad4e1503b9596

Download Submit
C:\Users\Admin\AppData\Local\Temp\aooo.exe

Filesize
221KB

MD5
d3bb7ec3e0561e8a96730bb88bd44056

SHA1
09858930cf04453a931215ab1122b6883646a053

SHA256
aedd672d316182ccda3787082e0006ad2431a85ad4808f0c7d652e973ec3c421

SHA512
3328e4de7dffbd91adc63fbe92cb3750e7ab78d61a55326a03a49ceb1e059bcb79171c1b2ef6418e8f5a1534e09a1f878402511d6c63e65eededb39e3f4ea370

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAMO.exe

Filesize
203KB

MD5
e726ce239097b272372c3e4a14b90878

SHA1
e7f774834bb14ab67df4ce9004deb7f8fcbc024a

SHA256
97f30a218b21f80859bd5516c80e19ee0681fadf7e5862fc527c22386760d0e3

SHA512
93413dd3d999dbe2fe9310aea32b8d88d89456b243a3cace06a3ab3a08a024785af57b9dc0b973117f3983bcaf86988c2578971d1de7649cc417cf96659d4e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEwY.exe

Filesize
207KB

MD5
517360def40436d324f2fa48c4fcffac

SHA1
1ed52072fdad4b6bd3491177b5b9ce0bd48a251d

SHA256
6f61f27a69ac1f25bc538df9609722a7b62a0dde73b7dd2cc2c20024a19cdd46

SHA512
bed8522d13a3ba39257a36bf3d912d85068eea700e3e94020fc60b9ffd69d7ddbb12511633ae96ac08699631b57ab76a8ab61748471b6ad07b577cfb5c273405

Download Submit
C:\Users\Admin\AppData\Local\Temp\cccQ.exe

Filesize
184KB

MD5
ee81fd1e2dd834c40e07a9386ca66ccc

SHA1
58da3db9096562cadca4c123203cb6740d0a3146

SHA256
317170663159bf9ac005c6fa3fef18da2eb9f3af6f6f4dc463be8e230245af7f

SHA512
9b1ab4d1db9288317cb9f8241ba3386b3121ac804a8bb1a018e29aa1061554d5e712b31bebb9640f2b07e3c7008d885fcb9103cc2d20169bf4a6693eeaea29e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cckM.exe

Filesize
965KB

MD5
38b03ce34ba7c57008a2ac1d7d7bd218

SHA1
065853ee18e559ce3137ba89dc7e8ac5d4cf8944

SHA256
9e582f9cfdef1ce3826b80531a227a084d2c39f1038de9d0b965216a27f150de

SHA512
959feaf376a8531fd248a4a3539d85df1ae58923496f620291d80bab19c83fd3964ead3d1fb12c4ce994da2f8685672d5011dc160e02a92e2b9c7f4cf1e3794b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAcs.exe

Filesize
211KB

MD5
8445d2f1882083f024f307352d0e8e3b

SHA1
cb888a66537f97e1e96dd54680b678762f81e65e

SHA256
c6b702f2a6f3d31f2d8109e7ee14bb7e60c56197a774d9d56794b938804e000d

SHA512
51ac7206d4bc81431ec3b1f0f5ccd0878f1da4ebb6071a28544708799bd8835582649f4a6f39aa845d0e9bd56bd8aa4a714caa2169078e7715dbe3aee6ae92c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEoc.exe

Filesize
193KB

MD5
7195216849f0fa62d2ff055ab5a309a6

SHA1
7d5597bb46207b2ff85121dfd931e777377a58e7

SHA256
f3b46533191a27a5f722651aa76738c115499e5413fd0daa84d67e89a5a85128

SHA512
663b5aacc66ad8a4787c65a9a6a93c61505e0d38a17a5abf03edf91507f66a59ebc0f3a6a5bd1e157f34821a0284f0b1bdff377025bbcfc8073216b8d376cb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQgo.exe

Filesize
785KB

MD5
5b6e79d4a490739355ed7a5ac6b621bb

SHA1
6b12f922d6237dee8c21a0a4298cbfaca3ac3229

SHA256
44310ed647e780ba5da6bdcba11c996da25417ea07c103f9bee90135b5368d0d

SHA512
1989100ff946465493e1555c4b812675b1c9cc03b758a157e5deb4d581a705fcc802991ef834edc289f1d97343be66248bf0e0efeda212e0be2d564f59035508

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecMM.exe

Filesize
812KB

MD5
40b69b66b4112442de24e7032a2ba900

SHA1
09e2f8ac85ac8f8f7f4f79f970d757d458a8dbc8

SHA256
da8ef155df746611f4f79d502b83f01eb5d019e9c7e845ed91304c47a5eaa164

SHA512
15912861ea295eebf4fd8af1bb0c635d9dfa0db38d8a40983a07db04de7a3fad3907174383412074c4d58475a0a5e08b07ed7e6bcb8985da8733f1cc0fade844

Download Submit
C:\Users\Admin\AppData\Local\Temp\egMU.exe

Filesize
181KB

MD5
44436d913a8fadd8c7780eda59fb19c5

SHA1
435bb05ccdfb997a8463f53d4e2f2083b52a41dd

SHA256
6afb8695292f29df4809c6f2392d4eaa7bd475e5cb3252ef5ffb6da1646f5994

SHA512
f7a6ca24b97e73393223540e101d7eddbbd053db58dd6a5bc1b45ac39d7fc5c0f232d09092d3649ef1f1deac3bf63d5a87cd29335dab37b9abbadf799de36e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\egUS.exe

Filesize
205KB

MD5
24f9edbe6b2ecc000f239b95ed208fc2

SHA1
ab3a1ba307efcef4ca2008f4e0c68b7bc27a5580

SHA256
9fde52b897f62fdc62f884c3623cb3985295c7794109e0eb4b0fd353349652f6

SHA512
e377a47ea52fc47498e8f712d00c680ab38c77f20e8476eb42c345f95885f2b4d0d3565f1674ec8ad0cd5054c7a9d21c4340b1e1eb966bfd6a9815a18432e05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMoI.exe

Filesize
959KB

MD5
846a5b342b9d6d36ea89287e642d079c

SHA1
c9a0f9b808d3d81862350742ca8f98f5c323c7b8

SHA256
515b49a514a1d2711b4a33194dfa74def28cf2f2d278627a5cc0f80e41374bc7

SHA512
c2ac9d5a022aabd6232459d083bed07492e56852046a165a5ca3e3800ff11282ff43068b6bb3e71eb07cf168ddaecb698bc012b0a2fcaa5f856dcea98bba7396

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAw.exe

Filesize
201KB

MD5
607588791c4c8bb955209b93e158b756

SHA1
5506836190539e4ce1257bef16fc1559ca6af0c4

SHA256
d2f73f69978bed1ba13088d228232358ab718cf3ed1481932375113c3932873d

SHA512
d81cd002047c621c70fef2fc825c20ac35ad63fd1488c597a5ab4e24a71bc677bb9e3042d63240c0e8ab44401d46f1eac442fed091d2d3e6db4d818d3f554b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYS.exe

Filesize
200KB

MD5
9b3082d5773fbab9890b81603c2227b7

SHA1
b505271395739fe02f3b240db7f65bb6154b9c41

SHA256
5b9f8423d347b06ac36a1117e22830d4872edacc2010b62330d3452481cf05ab

SHA512
79ce94355f910ada4057d1fb574e27d07778b73d62e536d9cc7085b6a616fc8eba7e9a2194537e9d2d5105d0adcd20f79fd072eb1e7e20bd881baa904b807a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYAS.exe

Filesize
206KB

MD5
92a0e7ecb60c9d5ca0a73b2d1b6762d4

SHA1
4800e8c47b5b7ba91ee86d949e554d4a26488529

SHA256
e8a1f432c59a875f9bf136e2a0e819acc21783b9f7e6a188df3fefefbee3ec15

SHA512
839aa24b206f8bfaec3cc0851fc31b616f786de89354da106e0e280661e0205babd1f41a89839b3fe098fc2b1c2af579ac3258d82148d7d001f9dc2a53e8bfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\icQy.exe

Filesize
322KB

MD5
445fcfe84c78e1d71620c07d9eb22b8f

SHA1
51aec353c542dc5ef3cc6c2175fafeee3de9b9e0

SHA256
854f488529cf17c6351954cbc02811fb18a6aedbf49350f50414f2e180f60f67

SHA512
c724b6d4ac36648b13beb40681ab00c822b4d3a0f8e46e3b969600b425065b7daf704171d24f8afe58121e070daba28558d4d3396266861b5bb877d698bcbc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwow.exe

Filesize
1.9MB

MD5
ff06e0f69fb038eb4ea9a792fd77dd4e

SHA1
de66253d776f42d61e9b82afeef91ac28ebd2521

SHA256
d3b25dee33856155ad4c22bf41b77aae1cc058ad5ce6e3f17bec9a7f99fc4a00

SHA512
2dd2619c09b4993d02f7972eba3652518947c7a7e7f82f514287aef5ff250f70e683ff7fdd5bddb996a100f79b60681e726cc00af35f60ede55371de69d80d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAsy.exe

Filesize
241KB

MD5
c9096744a4dd23a19f1cae3e869fab4f

SHA1
d7537918e1b62b9b057933e7b7160ba8e4ff868b

SHA256
554f1453a2d92f8620089732494a8dde8be3b7b7529e55e49a8cc2ea7f272981

SHA512
75e02f875d2f86d58ee5d8d1082c5b5b5839446b7b4210b4cef85508049eeb8dffa4be3644c25929c0f1c64e02c2a48020dcb90132f04d96a16db0a885c0663a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMa.exe

Filesize
188KB

MD5
7d8439a560260c1c4e7cbe9c92ec4b0d

SHA1
649da679c4782d6fc58459ece634e4130032ff75

SHA256
62405219aa4cdb2d6471d9b4e7de3aa5b54ed7ae72094cb6a169e7cd6d85ecc0

SHA512
b7515af5aa7943bf8d6cc88accbf338e787d2147b29727f209d00320d0e24d4b089d4b79d10bead6181d3f4ea33b77f39d9869accdc4a8c0e2c121417c2a06eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYYO.exe

Filesize
632KB

MD5
f321771093fda28cdf7923d08dbc4649

SHA1
4170cb6b8f87904db7a7c462ce484020a8a4e3c4

SHA256
c95005bd255ff692a2c0c2af0395863fa932490a873003f81022308e6663bc78

SHA512
08de24975c82151a939b3d1bdbab051b157fb27bd71f971713be801adc2255755a3a7578accdc237e7fbf4a7d6e068abcc841973fdfd5328fad21a1908373326

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgAE.exe

Filesize
193KB

MD5
3e871e9426aaea8b678933c1245abd9b

SHA1
e3ba35bdca45136ac285a1502d710dda361cfdc4

SHA256
a99ab55023fea47910bc8f659425c947384fb25e92849816c01fda2e09a28769

SHA512
7e050eac7af059569a898142cc3a7df21cc8804d0017d6e9b9b9024a3b4dc11db43b156623509a8adfa1ff24314523a8fa8a4abb033315620a20f52e6a086d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswm.exe

Filesize
205KB

MD5
c88659d18788110dd3f7ac8cff92277f

SHA1
2a016d2a580c930a5bb712fb15f33259b06a5b35

SHA256
b5f5ab8e194755cd46d087049dc4d38a45168863d8659af8c1991707076e0b59

SHA512
4f87cfafc5e52acdcbab0bef10f4d319fa88e6d7a281ba51077402a07c292382b46c97e1b1b6246403791f01ca046fc8d1e4fbee2315e01a6ebc0aab225dd63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMUY.exe

Filesize
185KB

MD5
26824c7033bfa73a8ee3088f64a67f15

SHA1
30d231c2a5d973a02629a2793e0a852bd7429126

SHA256
7d6cc544ae973f31e87dbb2ca617a3293e18cbc515c5fdcac6612989ce61721d

SHA512
580730dc4c9d07709adc3fb798402563299f2a32ec0dfdd5d737f8f366610fc9b036258b7e0bd0a7210447b6ac71a736bf9c290ac6e7a3a8092d156a9f8c26eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQEq.exe

Filesize
418KB

MD5
d41b3333099ae16d55da7dfc2f6e4542

SHA1
435d773f15c149002fe5ff43dade272858fa9974

SHA256
263d330df5b349f9ed3bd53064ae377b6246be01567f54dac05ee63207bbee0f

SHA512
45cd1b6721db7cf3694cb723b9b2c3b616fa4a93db8b443127a62be9724b6f14396025f13c05802a8b1144d71669837b23ca42f5183610777ea7bbf141f01f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUws.exe

Filesize
307KB

MD5
83bcb8b4b949407a09320c73bebea495

SHA1
7e605a991178ea605fcca11ef99910d41ffbbd36

SHA256
248bbad721b6eaa4d0ae77e1290c18a34e88a8585adae068caa37e0b31a9466e

SHA512
360f31481fe919868ed8dd2eb7cc12cf66d3dfa1b223ab871e8a02e331d6df305ee7e9273d0465f791842a2f4615a2336a306341b6221baf7296e3ce8073200a

Download Submit
C:\Users\Admin\AppData\Local\Temp\okMS.exe

Filesize
630KB

MD5
4f47e4fd58fd416241610ed4daf33db8

SHA1
e43271b5226cecfc6b6e9c005fb90440bd273cfb

SHA256
1e9328229db88b14c4af943f344c1cefd09b70edbf2b6d51245550e8373c2a87

SHA512
f525f54d6da9c4883689b02ec699412e36bb2debec7747821c5bab30bf55a92e45cf2c306a82878637b01ff19a4933a9a4ea223308e3b704d7f560b951bd6cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\osww.exe

Filesize
187KB

MD5
aa0baa40404817c637bd8c0a09074f69

SHA1
ad604a0a8bb11937edfe52d008dcd6417939f5d2

SHA256
1e318a2565e71a12bfc372ecca0160eebb97d8e29687ee65bc21f983d49b26c2

SHA512
0da3a791d14b8fce6877287181ca83169b3135578ea667d81ef2a4e4be5f8895bbe51f62609802267e51128ac74442b60df328b2c1f5bce3bf03924afd5a094f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIMQ.exe

Filesize
793KB

MD5
780d5cdd9fa88d035fc2fe1c946e1e5a

SHA1
022fc238b53bc7e796371b5b4ae64ebc8b4aced2

SHA256
687db269ba0577ac461f345fc8243b6f52f8f6bb100c4ff73179534534442fc7

SHA512
e88271938b85a93373f01cc133cc07b52f2b9c20a04c67408d732798fc0e2833d30aae26f443ae104851b0dba8e2adfa5ec2f63ac930fe07002b2b7bf1e4e7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwK.exe

Filesize
207KB

MD5
f124bce06ad99ac279534733245f2c27

SHA1
e6b3eb48db11466ef4845e5edb48d3376c6175f7

SHA256
0bb4c0817f4c722a7430047cdf33f012b5654c13dbb4e6800f9e5f8bfc85b40c

SHA512
8092721c64153fe2efeb9a4fa735319d9cf52aea91ebbcac6a44b52f3d2e5a748f0a62ac1059b02a2d31dde34dc8cefcdf2403abd3f6906c64be3cec3f30d0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwUO.exe

Filesize
195KB

MD5
b8c4ad7e5970e337537cc0351a002ab4

SHA1
cd939b443e0737cb89d447bbf5a2053e28f652e7

SHA256
f6f3f93ccfbba730a6b838b3fb357e6e6ca8ec4dce019eb248a8699c7bacbfa3

SHA512
5c531a2e7c2da58f8e45a0aa0b0a495f59752531297a3faa17e6a1c7fe98c8d977d69dda974cc68c471eb76bbf7c031908fc55e1c78e6e60b59019ad30c15888

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAcQ.exe

Filesize
195KB

MD5
562cb00cb47b1081e2fea2b8a546aeb3

SHA1
1ccaf0fe1eae350be39eadb704ddb6714e29949d

SHA256
2d653762fc1d935803bd1492d3f1745f3d9d9a5044d133ae32b61fec3d566826

SHA512
be3816d62aabae24bf16163d408ee08369e5a97dfd9b581edcc9200dd1256896879e87c8e812aee90d60feef7d2d5d9aea9afeffa7d2311a93a6338505085d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIsS.exe

Filesize
207KB

MD5
821f53e362bc703f15307209d9023483

SHA1
c57cd83c379c48d0a918c7112de9c79f9ca04c53

SHA256
8c40d4c1471a49c1b69b979e660c544f048d0f0e68391c8ecd7f9c7fb39e10e1

SHA512
ba743bd5cbc6a0e9d1873437d8e25dead197b267891c63988f7212928e038748881a39866a50f4e0202c39fff9788f70fda5d5abf4af7c12f7c0e1387ad82a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEW.exe

Filesize
638KB

MD5
8bc4a20dbac84e61360cfd6ba254df9b

SHA1
c000d9bdabfb8a1112b04ae31f9ff576b1706f48

SHA256
0c5cf856b25ce432d2bd3de8b7ed84d9688b8d3070dd252e14a95c51f4994c08

SHA512
3ed0e7912b0a91bb69ce1fdf0479202dc6d7250f653526eaf8cacc6e614139fb9233c01f2955589afb86085c26d2936a2a9012e9d8ca6e06926a659e9b1fba6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQI.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skom.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\soco.exe

Filesize
203KB

MD5
1b622aced9474f2aaba0c46af0e0e588

SHA1
b5d89c51ec6beeedd136effbaa1420b4038deba1

SHA256
82c445ef166248c3293407c27f909c8f587385550ca713973c0b6e2821f12c1f

SHA512
3b2b96a8134115d1a5fabe5b1e062c7264cc8e0341b4a086ce80118fa03f15d8a2bfd3874923229f8046d942e69389df071cbf80b889d370632592d5a58c5870

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokQ.exe

Filesize
186KB

MD5
44df3c24b013e3521750e293fa16809b

SHA1
7438b18f98bc81a19fda1f2932e3532739f7ee9d

SHA256
3addf13716b4a3e39a015285352888c665a92c47205b6df6076401d1b791b470

SHA512
d4294f3e03d060f568de622d55d2d8b8bac58fbe3080b57fa949c9bc0adf8692fae9b49bb0ab6d562fdaedf10cb370a28ce87925f34385db4ca9da64a824b01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAoA.exe

Filesize
202KB

MD5
e641a5cb278182068c40092c3999a23b

SHA1
2e94372cecab07be8ea654081c627f20e1acd321

SHA256
9f05fa3f20a726f4036401e75e31b8fac6b1231a4701d9c7a9518ea63ef640f9

SHA512
fa486e800ed85ac732e762bd09219893d6a2bb7bf83fd30ce558561d948a90c50a53766d76024a7d9fcc2ac2f57ca13e9d074367da33e361914d686a6cb8ace7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEYQ.exe

Filesize
815KB

MD5
e8f2d7dc2f31e863e44cc789fd552a93

SHA1
87cb8d0c93aa2bb734c5463ff39ef9deafa95bb6

SHA256
5545f6bb933ef03994cf71d8041eeeb375db1e38dac4e75aeb0c1714251837e5

SHA512
6b432bc1b8971f091cfb1ac114fd0a03ed6c0e8f8196db5188a1d659734b260920fd3ac321d3791d682c03325bc70f8ebc2c53ca6f19358f6329e9494f1b57e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUoq.exe

Filesize
540KB

MD5
17304eac37f7840c5f1d30218014a8a2

SHA1
ddec3080e1ea5ea5f4e314867feac320f9bced67

SHA256
fecbf6d2a60a7200e6bf0cc4d1cb962cfc0fedb9f615ff20f5968612454c5c3e

SHA512
2833e7d6f32b8b9bf535284167482651e77c104da2d871d6157d2c312ebd12f6c9e7d735175cded8d119605b81f92e1b0965ebe65e26fa3c876789b1ba4edf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYU.exe

Filesize
207KB

MD5
dae0659380ee5f2c717d75e94b093504

SHA1
0b5c007a866396d01ba49f27be86b76a9e042414

SHA256
af9305fe312f00d89444202a08ce97498d3fa10bc039aa4548e555cbd7109966

SHA512
fbf12e638de5cb9259b7a90e284bc54d1a2b45e264e68e5a1afbd473dfabdef9a68154dbeff70271b1b1ea5806ac3ef37703b986333507ea39d518e6aa62d7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAco.exe

Filesize
884KB

MD5
4b410304dd66864cc867f72f670e823a

SHA1
61d75e739200c1bae892760e91b78113a461f15b

SHA256
b955bd43f3356a12c0f605acdc45bd2465278b81523279e92c8324fbd69d27a4

SHA512
13c10b7cd6e8508aacbc24eddb752079569b75a1d5f19f9e849f9994c9c75fe7c45a0adb748c2bc96d1935876c25dd9301d8d0a65b04de21363d7f42fc83c058

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEoc.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQAa.exe

Filesize
191KB

MD5
e149bd8c213e0ac24d6a8e1a4b35fde6

SHA1
4dd1234794f9d1a9056bbf77c2c1dec6183917b1

SHA256
bea582e7a31c36387e0bf9bd875da628a81ecf7e4e15416ada60a909811986e1

SHA512
3637fe56221abdb7968209f619ebd1293254e831fec7f447f1de5c48fdbc30c957de78e182b2a86ac95b756cf07d5e8f298c86e3a7170cda9e5242e2ede8d3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUk.exe

Filesize
226KB

MD5
82c97634d99c3f6fe91dfae66a582efc

SHA1
ee32c8d947d6eb2a4e26a280420fd6e3c942dd21

SHA256
a2d2b2bb08ea1c21b127252c35b9303c7d1fd434f5e83d93a93f2f08a9b3f00c

SHA512
4164210fa7d2e6afcc6f2fd664fbc11b87150744e6f0b48a023f59f16bba05f1f6cf20f56efc13e8cfd742475fb75d8202eb86691a34de2c872b3208d5687497

Download Submit
C:\Users\Admin\AppData\Local\Temp\wswO.exe

Filesize
659KB

MD5
6ae6380670d6822bff3bf284367a156b

SHA1
8dfd7f488da7eb43da9c2d1438701db4f3e50e2a

SHA256
f0c9220fdf4301c190c83f1f7aff39cb52c688a37febe2f44011ef44dfb13838

SHA512
5aaabd3f88985f6cf7a21f3824aa2341133597121c68efe47fd6fdf70e8a603c0416a5e5b662ca666713d579047b2f79703ee69b66073c9bcabb408dfa55f2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAcw.exe

Filesize
187KB

MD5
f219c335414472549693193c29b88903

SHA1
b98a747218f250451946f7343d16dd57a76d9ac1

SHA256
8c95fd441b017e53ae5ba2f84fcc5d365249e714650aff13eb4e8d05004a2a45

SHA512
2751948af54b774e061fcebeb281badd5afa85beac460a03025d02443a96aa3e6e7257eb71e96663b8d002a162598cbfc68029dab9c890de684803d93e0c45db

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIQG.exe

Filesize
2.0MB

MD5
d619a317efe84a8e089c04790b28b88b

SHA1
e804b03ae4dc1ae616e360e94939dc2b9e5e3be5

SHA256
ece17f0e04dc8b1d0daef754b8de6cccedaae677d4f52b2133ff7f601026e5e4

SHA512
d95b788e2689bfaf6ea210793fba3ebbe98d036377f9e363a0a43488db060ccd93b76b5e0d436a5838b669efbd2ff76f01e58f3a694ad5621cf7b3a79a5ceb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUck.exe

Filesize
213KB

MD5
3c2cbe571a582df5d26eaa38cd729c15

SHA1
a4e7712bdebdb408aa5a1d18782ef753e294cd21

SHA256
66eb6e0155395e1528f7405610c3efee787477c9683b795cc0fe3599f6c0437f

SHA512
9a8205762d012880ae9a5e53cee63d3c27d81e9e51898a38efcd8215d606c019f557f0fd4a6ea271f88280e239f0bbb1e6b94e5a8bf75d86f09c31ff90c0f601

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYoE.exe

Filesize
193KB

MD5
dc84f6a086f93a4fe1661cd24ccb6731

SHA1
80b0b07670a4e4442f4b46a8f7d88f72263c8659

SHA256
70ed931027422654c9d5eb7054c2f52b886c0bec731a991d6f0841a3f2c9bb42

SHA512
2c340dbf36cc1bc260e3c26c34cd4f5496b007362cff194c95cc44654d805608f2b80ae7b4f5ec31a24b4b8380e44882874e2d9af1d72aff127227489a770dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykwQ.exe

Filesize
188KB

MD5
2033d41c08406b5144242e5f829583d1

SHA1
3341b8f96a2456965d21d9e09cbadd318c2e465b

SHA256
9fd15bc5aabacde281e4ae3e2af38af01723cdddf28f4d5c115f23e620675f45

SHA512
cd41ef7df921a3e6767b823336d9d30e7c5092d44c0a3084e2aad272bbb8fc174658c73a7ebe6b168a8ff686b5e6e8dfbdfd7b791ea25121d20bdf437415d1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoos.exe

Filesize
198KB

MD5
9024d3ecde5cbb8003eb73cee6166357

SHA1
bf674565c484f543cff9c6239eb44f2a009b3db6

SHA256
630b24280834f4d3cfc8bd70d60673ed516e16aafe296f546833a895a8539708

SHA512
18d27f8ab130126c746c96ba58423fa6bed653359eb3f4c7186698da66235f6a95307b9bf3d3c80cba785a1d474a4f1cc97045270a53d2f472e685edaae83637

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMm.exe

Filesize
678KB

MD5
0bc800b20567f91eb198fe9d6b47fe6c

SHA1
593a31415d2eba55fb993330d6514303871aa56b

SHA256
898167a3b4a72c3b622352b662c7f8012573c2da05c0b288e25619ca3ff5bebd

SHA512
a6fe4871b5509c7e4e449e9dc34ffe22a0787b9d7f18203a5a4e7b3d6dcecdd5672f305d037984ccbc3d13eea482aeac96ca0a2f785e9a718ed2fa7b136e020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywoM.exe

Filesize
821KB

MD5
3c8d21b5d94ea5514f3d84b19849e460

SHA1
bfdcf71b8e59f3a3182dd9865a8cd92b595a1f91

SHA256
29154a95754020cb0b93af191a4cf2966c02076e76d722046f87f84f2703827c

SHA512
ba57182dcb8aad45c5b3ce2bddecd9de99f2b5b53b093f2116ea50f96d59e92d8118fdf0e0c67ebc7d92849cb581bdfd452fb25b3e88c4bf71965e41f6b55e27

Download Submit
C:\Users\Admin\Music\CompareReceive.mp3.exe

Filesize
645KB

MD5
453d6b064f003f4b05a34f27e1f3122d

SHA1
f88b97874e9ac0318ae71edbf3c5d1cd93837d17

SHA256
f294d4b227ceb66385e5b0492784494fd2d3ccf26c19bdf83bdba21cc3cf2804

SHA512
2e5eb1758eb546ceaebfba3f24111490036fbc54bae3facec098257a4041b70a53510cd7021e92464c1d5103f45084da9ecee8b307d61e616f8ec35c064e38f0

Download Submit
C:\Users\Admin\NmUIgcEw\gmUUAIYM.exe

Filesize
197KB

MD5
fba47a1393e3c889e62d4a51efcb669f

SHA1
a6b7ffa9cef3b8b1c45dd657e6e517a5caea5713

SHA256
e4ca34e986810094acb059da95ca5bd7d1f440f952b80b0cb85eb4c0b1349da2

SHA512
2f9087cc11833726017475fdd8e3cae3c9305ff3d3e92be4d0974fd57ede381a47dca9a7bd43f2a38abc390ea8a701be65a52155cdc1ea4e7887749cdd8af151

Download Submit
C:\Users\Admin\NmUIgcEw\gmUUAIYM.inf

Filesize
4B

MD5
5e97ef64b993c9d33348430875c4a377

SHA1
ea2d5cde90f86ce9634f7f2efbfb2bde6f1431ed

SHA256
64a1f1fccd60b56432162e7dca599907ec71f8b6b3b4f62e49b4c22632712e07

SHA512
b51608e0a6d928d42ca0e7bec945c5d8fb084823ff138647b4556cc3793eec647d3aa9a883f45805313088fa00d7e373782fa2c40a3c6175f8571170b1967dae

Download Submit
memory/60-516-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/116-426-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/116-436-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/400-353-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/400-341-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/456-345-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/668-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/668-612-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/748-313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/748-301-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/748-512-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/748-526-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1016-213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1064-578-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1228-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-630-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1384-656-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1388-225-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1420-172-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1516-543-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1532-562-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1532-552-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1532-707-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1556-389-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1736-115-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1868-646-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1868-462-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1868-453-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1912-373-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1968-620-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1988-413-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1988-425-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2004-195-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2076-680-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2204-321-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2240-699-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2256-417-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2256-596-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2448-305-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2508-161-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2536-551-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2652-489-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2688-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2868-381-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2868-372-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2952-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2984-183-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2992-260-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3052-252-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3264-481-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3264-473-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3264-398-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3264-390-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3360-570-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3444-270-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3444-55-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3472-76-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3472-91-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3508-408-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3768-604-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3864-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-295-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3956-507-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4032-126-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4092-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4092-51-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4292-278-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-445-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-438-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4364-454-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4388-638-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4488-681-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4488-691-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4512-137-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4524-102-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4548-716-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4552-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-150-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4596-207-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4628-472-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4628-664-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4648-672-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4844-362-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4844-355-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4848-535-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4848-521-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4856-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-286-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4992-498-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5008-586-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5040-241-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5040-220-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5112-328-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-323-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-334-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-324-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-333-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-332-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-331-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-330-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-329-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download
memory/5112-322-0x000001AA8A2D0000-0x000001AA8A2D1000-memory.dmp

Filesize
4KB

Download