e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
Size

500KB
MD5

741881a4decc4960fe7dcebac35e5050
SHA1

b8fe46ea965c3e653611933f85db0c5a8e1f4e24
SHA256

e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
SHA512

8c4d53e61d3622eb3c6ad252ca02b9ec9808f39e973746f771e096ac980050aee265e68645e3717d7075e8fd36d6c265f9d5156ae00bd9cefd736f7b57e236fe
SSDEEP

12288:ZlWtZnNlB2e7EQXokRUCLxSftAd7U44Vn:Xq11hRokRwui1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1424	MEIkQIcI.exe
3324	QCoUQUgA.exe
4416	cUoYAkMc.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MEIkQIcI.exe = "C:\\Users\\Admin\\TgwAssYQ\\MEIkQIcI.exe"	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MEIkQIcI.exe = "C:\\Users\\Admin\\TgwAssYQ\\MEIkQIcI.exe"	MEIkQIcI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QCoUQUgA.exe = "C:\\ProgramData\\uiEYgwgM\\QCoUQUgA.exe"	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QCoUQUgA.exe = "C:\\ProgramData\\uiEYgwgM\\QCoUQUgA.exe"	QCoUQUgA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QCoUQUgA.exe = "C:\\ProgramData\\uiEYgwgM\\QCoUQUgA.exe"	cUoYAkMc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngEAAIsY.exe = "C:\\Users\\Admin\\JuYQoEYo\\ngEAAIsY.exe"	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YMYgUsAE.exe = "C:\\ProgramData\\umIkgMkk\\YMYgUsAE.exe"	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\TgwAssYQ	cUoYAkMc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\TgwAssYQ\MEIkQIcI	cUoYAkMc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
332	3304	WerFault.exe	950
2532	4672	WerFault.exe	955
3700	1904	WerFault.exe	951

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
980	reg.exe
1412	reg.exe
2748	reg.exe
3652	reg.exe
4036	reg.exe
4192	reg.exe
1172	reg.exe
1892	reg.exe
4960	reg.exe
1752	reg.exe
1648	reg.exe
3972	reg.exe
2860	reg.exe
4776	reg.exe
2288	reg.exe
2220	reg.exe
1400	reg.exe
3052	reg.exe
4884	reg.exe
2632	reg.exe
4496	reg.exe
4584	reg.exe
3652	reg.exe
2344	reg.exe
5112	reg.exe
4060	reg.exe
1792	reg.exe
3168	reg.exe
2544	reg.exe
3924	reg.exe
1420	reg.exe
4648	reg.exe
2324	reg.exe
3108	reg.exe
3120	reg.exe
360	reg.exe
4072	reg.exe
1064	reg.exe
1400	reg.exe
1392	reg.exe
1880	reg.exe
4876	reg.exe
920	reg.exe
2840	reg.exe
216	reg.exe
2212	reg.exe
3048	reg.exe
2840	reg.exe
3148	reg.exe
4076	reg.exe
4328	reg.exe
5036	reg.exe
2540	reg.exe
4920	reg.exe
3712	reg.exe
2520	reg.exe
4320	reg.exe
2100	reg.exe
3116	reg.exe
4516	reg.exe
308	reg.exe
4872	reg.exe
2556	reg.exe
2056	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
2980	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
2980	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
2980	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
2980	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
480	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
480	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
480	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
480	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3216	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3216	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3216	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3216	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4192	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4192	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4192	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4192	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1904	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1904	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1904	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1904	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4656	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4656	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4656	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4656	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4652	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4652	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4652	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
4652	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
360	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
360	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
360	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
360	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3984	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3984	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3984	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3984	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3092	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3092	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3092	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3092	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1316	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1316	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1316	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
1316	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3312	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3312	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3312	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
3312	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1424	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	86
PID 4968 wrote to memory of 1424	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	86
PID 4968 wrote to memory of 1424	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	86
PID 4968 wrote to memory of 3324	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	87
PID 4968 wrote to memory of 3324	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	87
PID 4968 wrote to memory of 3324	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	87
PID 4968 wrote to memory of 4300	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	89
PID 4968 wrote to memory of 4300	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	89
PID 4968 wrote to memory of 4300	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	89
PID 4968 wrote to memory of 1080	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	91
PID 4968 wrote to memory of 1080	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	91
PID 4968 wrote to memory of 1080	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	91
PID 4968 wrote to memory of 308	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	94
PID 4968 wrote to memory of 308	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	94
PID 4968 wrote to memory of 308	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	94
PID 4968 wrote to memory of 4192	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	93
PID 4968 wrote to memory of 4192	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	93
PID 4968 wrote to memory of 4192	4968	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	93
PID 4300 wrote to memory of 556	4300	cmd.exe	95
PID 4300 wrote to memory of 556	4300	cmd.exe	95
PID 4300 wrote to memory of 556	4300	cmd.exe	95
PID 556 wrote to memory of 3664	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	98
PID 556 wrote to memory of 3664	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	98
PID 556 wrote to memory of 3664	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	98
PID 556 wrote to memory of 1872	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	99
PID 556 wrote to memory of 1872	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	99
PID 556 wrote to memory of 1872	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	99
PID 556 wrote to memory of 3332	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	100
PID 556 wrote to memory of 3332	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	100
PID 556 wrote to memory of 3332	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	100
PID 556 wrote to memory of 3972	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	101
PID 556 wrote to memory of 3972	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	101
PID 556 wrote to memory of 3972	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	101
PID 556 wrote to memory of 3264	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	102
PID 556 wrote to memory of 3264	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	102
PID 556 wrote to memory of 3264	556	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	102
PID 3664 wrote to memory of 832	3664	cmd.exe	108
PID 3664 wrote to memory of 832	3664	cmd.exe	108
PID 3664 wrote to memory of 832	3664	cmd.exe	108
PID 832 wrote to memory of 3976	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	109
PID 832 wrote to memory of 3976	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	109
PID 832 wrote to memory of 3976	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	109
PID 3976 wrote to memory of 932	3976	cmd.exe	111
PID 3976 wrote to memory of 932	3976	cmd.exe	111
PID 3976 wrote to memory of 932	3976	cmd.exe	111
PID 832 wrote to memory of 2548	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	112
PID 832 wrote to memory of 2548	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	112
PID 832 wrote to memory of 2548	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	112
PID 832 wrote to memory of 2620	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	113
PID 832 wrote to memory of 2620	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	113
PID 832 wrote to memory of 2620	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	113
PID 832 wrote to memory of 1564	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	114
PID 832 wrote to memory of 1564	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	114
PID 832 wrote to memory of 1564	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	114
PID 832 wrote to memory of 2612	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	116
PID 832 wrote to memory of 2612	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	116
PID 832 wrote to memory of 2612	832	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	116
PID 932 wrote to memory of 2640	932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	120
PID 932 wrote to memory of 2640	932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	120
PID 932 wrote to memory of 2640	932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	120
PID 2640 wrote to memory of 2980	2640	cmd.exe	124
PID 2640 wrote to memory of 2980	2640	cmd.exe	124
PID 2640 wrote to memory of 2980	2640	cmd.exe	124
PID 932 wrote to memory of 4496	932	e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe	122

C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
"C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\TgwAssYQ\MEIkQIcI.exe
  "C:\Users\Admin\TgwAssYQ\MEIkQIcI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1424
- C:\ProgramData\uiEYgwgM\QCoUQUgA.exe
  "C:\ProgramData\uiEYgwgM\QCoUQUgA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
    C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        10⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        12⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        14⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        16⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        18⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        20⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        22⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        24⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        26⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        28⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        30⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        32⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        33⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        34⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        35⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        36⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        37⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        38⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        39⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        40⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        41⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        42⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        43⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        44⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        45⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        46⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        47⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        48⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        49⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        50⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        51⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        52⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        53⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        54⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        55⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        56⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        57⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        58⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        59⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        60⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        61⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        62⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        63⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        64⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        65⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        66⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        67⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        68⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        69⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        70⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        71⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        72⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        73⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        74⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        75⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        76⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        77⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        78⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        79⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        80⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        81⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        82⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        83⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        84⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        85⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        86⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        87⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        88⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        89⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        90⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        91⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        92⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        93⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        94⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        95⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        96⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        97⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        98⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        99⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        100⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        101⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        102⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        103⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        104⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        105⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        106⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        107⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        108⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        109⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        110⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        111⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        112⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        113⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        114⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        115⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        116⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        117⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        118⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        119⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        120⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        121⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        122⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        123⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        124⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        125⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        126⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        127⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        128⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        129⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        130⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        131⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        132⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        133⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        134⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        135⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        136⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        137⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        138⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        139⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        140⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        141⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        142⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        143⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663"
        144⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe
        
        C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663
        145⤵
        Adds Run key to start application
        
        PID:2936
        
        C:\Users\Admin\JuYQoEYo\ngEAAIsY.exe
        
        "C:\Users\Admin\JuYQoEYo\ngEAAIsY.exe"
        146⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 284
        147⤵
        Program crash
        
        PID:332
        
        C:\ProgramData\umIkgMkk\YMYgUsAE.exe
        
        "C:\ProgramData\umIkgMkk\YMYgUsAE.exe"
        146⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 312
        147⤵
        Program crash
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmogoEgo.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        144⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMQwIwYE.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        142⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmYAoskA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        140⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUEMAYQo.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        138⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMYEAcsw.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        136⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWIggcAg.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        134⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcwkMEsA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        132⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukcIUEcA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        130⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XccAsYko.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        128⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siQocIAY.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        126⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiokkgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        124⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIEgEwEc.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        122⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiEMkMYA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        120⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAcgQEcE.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        118⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGowsMgU.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        116⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmIEwQAM.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        114⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMwcMoYA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        112⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKEssQMk.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        110⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEsYgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        108⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUYoEUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        106⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgIYgMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        104⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaowswII.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        102⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMoAMMQo.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        100⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngsgEgAY.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        98⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMwAoock.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        96⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGkQUgsE.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        94⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcIgoYIo.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        92⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaUYgowU.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        90⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeMgQggI.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        88⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkccQgAU.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        86⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMMQgAIU.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        84⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwMEMUos.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        82⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKMwYQsU.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        80⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEIQIoEA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        78⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqsUkkwA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        76⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWoIwwEk.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        74⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcUMIAQA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        72⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMYswEok.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        70⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMsYYcIw.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        68⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECosowMg.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        66⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYMUwoAw.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        64⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOgYYYog.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        62⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOEUcgQg.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        60⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYkggEoY.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        58⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgwksooQ.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        56⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiIwAwYo.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        54⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viMwMkMM.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        52⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgcEUMkE.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        50⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAAcwcAc.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        48⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKYEIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        46⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgIAwYM.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        44⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEIQAsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        42⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiEQIIQI.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        40⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeMAoEUs.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        38⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqIwccwc.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        36⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeMYMkkM.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        34⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIkEEkww.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        32⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuIokwIo.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        30⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hosgMcoE.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        28⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyMkIIMw.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        26⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaMsIUsc.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        24⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIUAoscg.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        22⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCEAgAsk.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        20⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQgYMYYU.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        18⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euogYskQ.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        16⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmMUUQYk.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        14⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwIwcMcE.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        12⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGwMMgEw.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        10⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIwQcYsA.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        8⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2856
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2620
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEgkYgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
        6⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQccUYEs.bat" "C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663.exe""
      4⤵
      PID:3264
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3328
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4192
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:308

C:\ProgramData\loYAkcso\cUoYAkMc.exe
C:\ProgramData\loYAkcso\cUoYAkMc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1904 -ip 1904
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3304 -ip 3304
1⤵
PID:3432

C:\ProgramData\tuswwUIQ\sioMoUEc.exe
C:\ProgramData\tuswwUIQ\sioMoUEc.exe
1⤵
PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 368
  2⤵
  - Program crash
  PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4672 -ip 4672
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\loYAkcso\cUoYAkMc.exe

Filesize
471KB

MD5
f233011bd099c559f5e7cef2d44f8f9c

SHA1
78e5aa8737d2fc1ef9d50c49a867d593d1113508

SHA256
8f11ae1bdd0b073aa9a416126e82d0535bf2d4c0044b9e211fc6849e11f625f5

SHA512
eee3901c6d717a958c4ac3574d5b2f1cd34480e3b3d1fe23d8e1c6bd0a975ee1efcdd1cd3f92d0544d8b7e30367213af106ddaa475e883f3315519834d0fa756

Download Submit
C:\ProgramData\loYAkcso\cUoYAkMc.exe

Filesize
471KB

MD5
f233011bd099c559f5e7cef2d44f8f9c

SHA1
78e5aa8737d2fc1ef9d50c49a867d593d1113508

SHA256
8f11ae1bdd0b073aa9a416126e82d0535bf2d4c0044b9e211fc6849e11f625f5

SHA512
eee3901c6d717a958c4ac3574d5b2f1cd34480e3b3d1fe23d8e1c6bd0a975ee1efcdd1cd3f92d0544d8b7e30367213af106ddaa475e883f3315519834d0fa756

Download Submit
C:\ProgramData\uiEYgwgM\QCoUQUgA.exe

Filesize
470KB

MD5
12b9ef5cd3c95b6c9bdb1ed8f7bcc7dc

SHA1
5b48192018396f5ca0b8f0d74442f6d2d0f114f1

SHA256
5887c4e50eaed1f3bf5c47f72f7beead886bbac5e0d46f1f280bef1a1d3bf0c4

SHA512
26ca05ef94da84b5f283fe9bc46a43827d2b11d4a68ec493786840f05102efa09fb6be39e82a26e4428bbd99a7e5e2a7b99a0e974b56a6f3ead7ded147e71fb6

Download Submit
C:\ProgramData\uiEYgwgM\QCoUQUgA.exe

Filesize
470KB

MD5
12b9ef5cd3c95b6c9bdb1ed8f7bcc7dc

SHA1
5b48192018396f5ca0b8f0d74442f6d2d0f114f1

SHA256
5887c4e50eaed1f3bf5c47f72f7beead886bbac5e0d46f1f280bef1a1d3bf0c4

SHA512
26ca05ef94da84b5f283fe9bc46a43827d2b11d4a68ec493786840f05102efa09fb6be39e82a26e4428bbd99a7e5e2a7b99a0e974b56a6f3ead7ded147e71fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuIokwIo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIkEEkww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwIwcMcE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiEQIIQI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIwQcYsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAAcwcAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQgYMYYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeMAoEUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KyMkIIMw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGwMMgEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIQAsEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMYMkkM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqgIAwYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEgkYgcQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKYEIcwI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQccUYEs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e33fdd9e482472df3ab545ea9cc3e2cdbd8dfec5b12c7435651c41334f260663

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\euogYskQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hosgMcoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUAoscg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaMsIUsc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMUUQYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqIwccwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCEAgAsk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\TgwAssYQ\MEIkQIcI.exe

Filesize
467KB

MD5
582145f509c4be1e2d6849730124ac73

SHA1
98249c7d8dcb365f4e4234ae813a815aea64131e

SHA256
656c49221464f9457cba79f7d45905b7bb668bb49b1d8f71c9731037aad7d432

SHA512
3c08b3a8834cc790b52c5bbea09989616bb312b8eac03bd9cc01d996f28312f212fce71e664838584aa916ea493b1b9cde9dc5b56ec2a380fc90824043c071b5

Download Submit
C:\Users\Admin\TgwAssYQ\MEIkQIcI.exe

Filesize
467KB

MD5
582145f509c4be1e2d6849730124ac73

SHA1
98249c7d8dcb365f4e4234ae813a815aea64131e

SHA256
656c49221464f9457cba79f7d45905b7bb668bb49b1d8f71c9731037aad7d432

SHA512
3c08b3a8834cc790b52c5bbea09989616bb312b8eac03bd9cc01d996f28312f212fce71e664838584aa916ea493b1b9cde9dc5b56ec2a380fc90824043c071b5

Download Submit
memory/360-251-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/428-312-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/428-311-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/480-201-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/556-158-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/556-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/832-168-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/832-160-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/920-310-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/932-180-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1104-302-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1208-292-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1316-261-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1424-247-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1424-140-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1488-268-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1488-271-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1592-282-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1716-286-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1716-287-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1808-305-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1832-315-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1832-316-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1896-321-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1896-319-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1904-228-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1904-237-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2204-273-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2204-275-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2216-314-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2336-298-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2336-301-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2980-183-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2980-191-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3092-258-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3180-309-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3216-211-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3216-219-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3312-264-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3324-248-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3324-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3372-267-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3372-307-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3372-306-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3372-308-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3688-322-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3688-323-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3984-253-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3984-255-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4192-224-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4192-212-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4344-303-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4344-304-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4416-149-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4572-278-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4636-295-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4652-246-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4656-243-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4876-318-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4876-320-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4884-313-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4968-133-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4968-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5016-317-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download