70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Analysis

max time kernel
169s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
Size

441KB
MD5

54cd9482e65b9e44430288d25e364340
SHA1

c8952d623879821ac0da92a53b8275e94b6005f2
SHA256

70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
SHA512

2f12678c58f492023a9d4ed7ef3fb518ccb578510bef85e609940c9395d75f1107774346d6b24e4aca9dbab50f240ce87117bb194424758a0190f13a285d71b8
SSDEEP

6144:gN9/o4ROzBTRh0PyDvo648g35jaA7/0wOyfXRetExQwiTrKvbsZlQT/Hbd7TOAei:c30JRSotGsA71/AExQNrIv1vg6v0o

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 62 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 62 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3404	eQUEYgkQ.exe
5080	gmwcQUQE.exe
5044	RYMEoocU.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	eQUEYgkQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwcQUQE.exe = "C:\\ProgramData\\ykUokcMA\\gmwcQUQE.exe"	gmwcQUQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwcQUQE.exe = "C:\\ProgramData\\ykUokcMA\\gmwcQUQE.exe"	RYMEoocU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OWcEgAUk.exe = "C:\\Users\\Admin\\fksIMMsw\\OWcEgAUk.exe"	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BKkkgMUY.exe = "C:\\ProgramData\\diIsEgMY\\BKkkgMUY.exe"	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQUEYgkQ.exe = "C:\\Users\\Admin\\zmAcEYcU\\eQUEYgkQ.exe"	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQUEYgkQ.exe = "C:\\Users\\Admin\\zmAcEYcU\\eQUEYgkQ.exe"	eQUEYgkQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwcQUQE.exe = "C:\\ProgramData\\ykUokcMA\\gmwcQUQE.exe"	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\zmAcEYcU	RYMEoocU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\zmAcEYcU\eQUEYgkQ	RYMEoocU.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	eQUEYgkQ.exe
File opened for modification	C:\Windows\SysWOW64\sheUnregisterRequest.mpg	eQUEYgkQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4360	4696	WerFault.exe	344
2928	2824	WerFault.exe	347

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1072	reg.exe
1212	reg.exe
4308	reg.exe
2252	reg.exe
2888	reg.exe
3584	reg.exe
4176	reg.exe
2408	reg.exe
3776	reg.exe
2492	reg.exe
2128	reg.exe
3652	reg.exe
4864	reg.exe
4756	reg.exe
2396	reg.exe
5008	reg.exe
1248	reg.exe
3688	reg.exe
2224	reg.exe
4748	reg.exe
4536	reg.exe
4000	reg.exe
4660	reg.exe
2028	reg.exe
4380	reg.exe
3864	reg.exe
3892	reg.exe
3016	reg.exe
2436	reg.exe
2812	reg.exe
4536	reg.exe
3632	reg.exe
8	reg.exe
3584	reg.exe
4340	reg.exe
4568	reg.exe
4104	reg.exe
2068	reg.exe
4228	reg.exe
4572	reg.exe
3100	reg.exe
3800	reg.exe
1452	reg.exe
4396	reg.exe
2320	reg.exe
1688	reg.exe
1304	reg.exe
3588	reg.exe
4196	reg.exe
3472	reg.exe
1460	reg.exe
3688	reg.exe
3036	reg.exe
5112	reg.exe
4032	reg.exe
4764	reg.exe
1136	reg.exe
4304	reg.exe
4176	reg.exe
3500	reg.exe
2380	reg.exe
2384	reg.exe
1916	reg.exe
4060	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3780	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3780	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3780	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3780	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1708	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1708	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1708	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1708	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1336	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1336	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1336	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1336	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
2508	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
2508	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
2508	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
2508	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3088	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3088	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3088	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3088	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1588	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1588	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1588	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1588	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1516	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1516	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1516	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1516	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1296	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1296	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1296	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
1296	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3944	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3944	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3944	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3944	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
4624	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
4624	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
4624	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
4624	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
3756	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe
3404	eQUEYgkQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3404	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	80
PID 3460 wrote to memory of 3404	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	80
PID 3460 wrote to memory of 3404	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	80
PID 3460 wrote to memory of 5080	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	81
PID 3460 wrote to memory of 5080	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	81
PID 3460 wrote to memory of 5080	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	81
PID 3460 wrote to memory of 5112	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	83
PID 3460 wrote to memory of 5112	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	83
PID 3460 wrote to memory of 5112	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	83
PID 3460 wrote to memory of 1424	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	85
PID 3460 wrote to memory of 1424	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	85
PID 3460 wrote to memory of 1424	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	85
PID 3460 wrote to memory of 1688	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	87
PID 3460 wrote to memory of 1688	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	87
PID 3460 wrote to memory of 1688	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	87
PID 3460 wrote to memory of 1336	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	90
PID 3460 wrote to memory of 1336	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	90
PID 3460 wrote to memory of 1336	3460	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	90
PID 5112 wrote to memory of 3348	5112	cmd.exe	91
PID 5112 wrote to memory of 3348	5112	cmd.exe	91
PID 5112 wrote to memory of 3348	5112	cmd.exe	91
PID 3348 wrote to memory of 2892	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	92
PID 3348 wrote to memory of 2892	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	92
PID 3348 wrote to memory of 2892	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	92
PID 2892 wrote to memory of 176	2892	cmd.exe	94
PID 2892 wrote to memory of 176	2892	cmd.exe	94
PID 2892 wrote to memory of 176	2892	cmd.exe	94
PID 3348 wrote to memory of 3720	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	95
PID 3348 wrote to memory of 3720	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	95
PID 3348 wrote to memory of 3720	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	95
PID 3348 wrote to memory of 2028	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	96
PID 3348 wrote to memory of 2028	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	96
PID 3348 wrote to memory of 2028	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	96
PID 3348 wrote to memory of 2068	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	100
PID 3348 wrote to memory of 2068	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	100
PID 3348 wrote to memory of 2068	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	100
PID 176 wrote to memory of 4092	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	101
PID 176 wrote to memory of 4092	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	101
PID 176 wrote to memory of 4092	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	101
PID 176 wrote to memory of 3652	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	103
PID 176 wrote to memory of 3652	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	103
PID 176 wrote to memory of 3652	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	103
PID 176 wrote to memory of 3632	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	104
PID 176 wrote to memory of 3632	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	104
PID 176 wrote to memory of 3632	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	104
PID 176 wrote to memory of 1248	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	106
PID 176 wrote to memory of 1248	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	106
PID 176 wrote to memory of 1248	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	106
PID 4092 wrote to memory of 3040	4092	cmd.exe	109
PID 4092 wrote to memory of 3040	4092	cmd.exe	109
PID 4092 wrote to memory of 3040	4092	cmd.exe	109
PID 176 wrote to memory of 1116	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	111
PID 176 wrote to memory of 1116	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	111
PID 176 wrote to memory of 1116	176	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	111
PID 3348 wrote to memory of 2280	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	110
PID 3348 wrote to memory of 2280	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	110
PID 3348 wrote to memory of 2280	3348	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	110
PID 3040 wrote to memory of 1464	3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	115
PID 3040 wrote to memory of 1464	3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	115
PID 3040 wrote to memory of 1464	3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	115
PID 3040 wrote to memory of 4228	3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	116
PID 3040 wrote to memory of 4228	3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	116
PID 3040 wrote to memory of 4228	3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	116
PID 3040 wrote to memory of 1304	3040	70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe	117

C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
"C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\zmAcEYcU\eQUEYgkQ.exe
  "C:\Users\Admin\zmAcEYcU\eQUEYgkQ.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  PID:3404
- C:\ProgramData\ykUokcMA\gmwcQUQE.exe
  "C:\ProgramData\ykUokcMA\gmwcQUQE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
    C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        8⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        10⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        12⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        14⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        16⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        18⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        20⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        22⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        24⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        26⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        28⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        30⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        32⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        33⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        34⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        35⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        36⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        37⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        38⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        39⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        40⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        41⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        42⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        43⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        44⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        45⤵
        Adds Run key to start application
        
        PID:2008
        
        C:\Users\Admin\fksIMMsw\OWcEgAUk.exe
        
        "C:\Users\Admin\fksIMMsw\OWcEgAUk.exe"
        46⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 288
        47⤵
        Program crash
        
        PID:4360
        
        C:\ProgramData\diIsEgMY\BKkkgMUY.exe
        
        "C:\ProgramData\diIsEgMY\BKkkgMUY.exe"
        46⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        46⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        47⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        48⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        49⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        50⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        51⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        52⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        53⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        54⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        55⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        56⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        57⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        58⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        59⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        60⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        61⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        62⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        63⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        64⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        65⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        66⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        67⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        68⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        69⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        70⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        71⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        72⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        73⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        74⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        75⤵
        
        PID:504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        76⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        77⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        78⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        79⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        80⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        81⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        82⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        83⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        84⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        85⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        86⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        87⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        88⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        89⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        90⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        91⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        92⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        93⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        94⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        95⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        96⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        97⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        98⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        99⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        100⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        101⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        102⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        103⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        104⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        105⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        106⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        107⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        108⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        109⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        110⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        111⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        112⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        113⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        114⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        115⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        116⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        117⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        118⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        119⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        120⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        121⤵
        
        PID:176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        122⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe
        
        C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d
        123⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d"
        124⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUcUIokE.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        124⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYoQoocw.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        122⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKoIIcIA.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        120⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMcMwoUg.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        118⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bocgYgoU.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        116⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feEwEAIs.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        114⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NugYoQAM.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        112⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeIQMwIM.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        110⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSQQEUEg.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        108⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qescEUIs.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        106⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsAIIkwA.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        104⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEAIIgIU.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        102⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqkoQUkA.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        100⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOQYMkAY.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        98⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwssEYUg.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        96⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bccwYoMw.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        94⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qogIgAMg.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        92⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgYIIkMw.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        90⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwAsosEw.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        88⤵
        
        PID:504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omkIUMIk.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        86⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIcMEsgo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        84⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWgMIMMw.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        82⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOIQEAYw.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        80⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weAYAIUA.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        78⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buEoQEIY.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        76⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSkkocEo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        74⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYIQUUsk.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        72⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daUgUwUg.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        70⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEIEQksI.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        68⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEAkQAgE.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        66⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWwQwwMc.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        64⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYQoYQYE.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        62⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEgkYgoM.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        60⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGMkcsUk.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        58⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmQssUUs.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        56⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOEAosgQ.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        54⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UigkUIYo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        52⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eykIoUIM.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        50⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twkEoMQE.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        48⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doEoAgEA.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        46⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqgkwUYY.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        44⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XacgowkE.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        42⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEYswYso.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        40⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqksYAIc.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        38⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQgAokAY.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        36⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IccAAwMY.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        34⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYcEUQsk.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        32⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juUEsggA.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        30⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUQIQksg.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        28⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaokYIMY.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        26⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aosQMgoA.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        24⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkAogwYY.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        22⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqosogsE.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        20⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAsMIckU.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        18⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMMsQgoo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        16⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qksYQwYo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        14⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIgogooo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        12⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEUEgkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        10⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKUoUgQg.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        8⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4588
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3652
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3632
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQMEsUko.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
        6⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3528
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3720
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2028
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGYkYsAo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1424
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIsAkcwo.bat" "C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d.exe""
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3620

C:\ProgramData\FQUkUsMo\RYMEoocU.exe
C:\ProgramData\FQUkUsMo\RYMEoocU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5044

C:\ProgramData\ZIgQIIgk\awIckgcg.exe
C:\ProgramData\ZIgQIIgk\awIckgcg.exe
1⤵
PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 264
  2⤵
  - Program crash
  PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2824 -ip 2824
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4696 -ip 4696
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FQUkUsMo\RYMEoocU.exe

Filesize
430KB

MD5
22a3b52174cf6a18ba522e8646a74318

SHA1
1863cef867d87ae0594d19e8ec99f9545be6a9bf

SHA256
0f1c6b08d3f7a0f49c8d3e4492a065840fd67cc7a07dff54191eb803a97fad50

SHA512
effcf6e36881df4ea84d65b44eeb61306871934fb2bf87406e208d20134c7063b9d647256564590e3adbaa62f7925935e6a8c747238d8cada9d082f7ca6e128e

Download Submit
C:\ProgramData\FQUkUsMo\RYMEoocU.exe

Filesize
430KB

MD5
22a3b52174cf6a18ba522e8646a74318

SHA1
1863cef867d87ae0594d19e8ec99f9545be6a9bf

SHA256
0f1c6b08d3f7a0f49c8d3e4492a065840fd67cc7a07dff54191eb803a97fad50

SHA512
effcf6e36881df4ea84d65b44eeb61306871934fb2bf87406e208d20134c7063b9d647256564590e3adbaa62f7925935e6a8c747238d8cada9d082f7ca6e128e

Download Submit
C:\ProgramData\ykUokcMA\gmwcQUQE.exe

Filesize
435KB

MD5
978730946af13922632a06999bf6af4f

SHA1
33f4d237ac91683c250f057c72cb1c14c63bfe2e

SHA256
8592c0c7bfa3f6f461d6b0258bd8b32e0617e492a56f9d526072a5b972d828b3

SHA512
742c6495b28687e3f6357d4e61625fb4262127add6023093ca5b4998d1b39ba964fa3157bbb1b02a52a2acb4c7c2355dd4fdc8ee572580a66d04471b1609048a

Download Submit
C:\ProgramData\ykUokcMA\gmwcQUQE.exe

Filesize
435KB

MD5
978730946af13922632a06999bf6af4f

SHA1
33f4d237ac91683c250f057c72cb1c14c63bfe2e

SHA256
8592c0c7bfa3f6f461d6b0258bd8b32e0617e492a56f9d526072a5b972d828b3

SHA512
742c6495b28687e3f6357d4e61625fb4262127add6023093ca5b4998d1b39ba964fa3157bbb1b02a52a2acb4c7c2355dd4fdc8ee572580a66d04471b1609048a

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\70203bde8ec4511cf25954da695ec404255322057283730b002f611e98f3fe1d

Filesize
6KB

MD5
5f6870e505406f5a8e8fa594b6d5bafb

SHA1
4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb

SHA256
f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a

SHA512
b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGYkYsAo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IccAAwMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQMEsUko.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYcEUQsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMsQgoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEUEgkEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaokYIMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYswYso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XacgowkE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aosQMgoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqksYAIc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKUoUgQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqgkwUYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIgogooo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAsMIckU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\juUEsggA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkAogwYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqosogsE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUQIQksg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQgAokAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qksYQwYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\twkEoMQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\zmAcEYcU\eQUEYgkQ.exe

Filesize
430KB

MD5
dc0abb52bef905f4a7d48d128b3e8d78

SHA1
46b85fa01c437ce6c5859944941db07a5138c0d5

SHA256
729de538db2b063c60a2d5caba4bd57da96fa0cd763120c60cfe769e8d052a65

SHA512
b5111bddcdc9176840ae7f258c39ef0c6a15d70fa2c403d714b0ce6a7b2dbd53c5008c4327e7b42c6ec7ed21a635b8aec22fa65327e1e3765d4518f24d8af50c

Download Submit
C:\Users\Admin\zmAcEYcU\eQUEYgkQ.exe

Filesize
430KB

MD5
dc0abb52bef905f4a7d48d128b3e8d78

SHA1
46b85fa01c437ce6c5859944941db07a5138c0d5

SHA256
729de538db2b063c60a2d5caba4bd57da96fa0cd763120c60cfe769e8d052a65

SHA512
b5111bddcdc9176840ae7f258c39ef0c6a15d70fa2c403d714b0ce6a7b2dbd53c5008c4327e7b42c6ec7ed21a635b8aec22fa65327e1e3765d4518f24d8af50c

Download Submit
memory/176-181-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/176-155-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/868-323-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1004-313-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1004-314-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1296-257-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1296-256-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1336-223-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1336-286-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1336-288-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1516-248-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1516-249-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1588-246-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1664-292-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1664-294-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1688-315-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1688-303-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1708-199-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1708-187-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2104-312-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2104-311-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2432-321-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2456-307-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2508-226-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2508-231-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2624-280-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2824-300-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3040-171-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3040-186-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3052-318-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3088-241-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3312-276-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3312-275-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3348-153-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3348-184-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3404-136-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3404-255-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3460-305-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3460-132-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3460-242-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3756-272-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3756-207-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3780-185-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3944-261-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4024-291-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4024-301-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4088-310-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4300-283-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4300-281-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4352-298-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4356-322-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4472-308-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4472-309-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4624-264-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4624-267-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4696-299-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4736-320-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4736-319-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5008-316-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5008-317-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5044-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5044-273-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5080-140-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5080-263-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download