2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Analysis

max time kernel
153s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Size

486KB
MD5

826ce8e73c528bfd03b63eff6ef751a0
SHA1

5cda6499c8bb54442497e0bda1ecd8cfbfbf1831
SHA256

2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
SHA512

95248f98c8cc3cd353715ef4ed180c0eb8444926556d697aea81d8cc0da4e5019dadcfe35c0789dbe9accfa026bb91a5040b19ce60adef16b16536a3251cf55e
SSDEEP

12288:8CyYw6a6zcNT6FYhQpHMIRfUa6QIvLuX4MguBKm3ZmZw96k6mmguRxi5WczDHh8X:8NjHQhMIuDugWKm3ZmZw96k6mmguHi5P

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\xiUAEsYM\\PugYYEss.exe,"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\xiUAEsYM\\PugYYEss.exe,"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
992	hYsUAQQA.exe
4824	PugYYEss.exe
792	WMUAQIwI.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hYsUAQQA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hYsUAQQA.exe = "C:\\Users\\Admin\\EeQYMcgw\\hYsUAQQA.exe"	hYsUAQQA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PugYYEss.exe = "C:\\ProgramData\\xiUAEsYM\\PugYYEss.exe"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PugYYEss.exe = "C:\\ProgramData\\xiUAEsYM\\PugYYEss.exe"	PugYYEss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PugYYEss.exe = "C:\\ProgramData\\xiUAEsYM\\PugYYEss.exe"	WMUAQIwI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hYsUAQQA.exe = "C:\\Users\\Admin\\EeQYMcgw\\hYsUAQQA.exe"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\EeQYMcgw	WMUAQIwI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\EeQYMcgw\hYsUAQQA	WMUAQIwI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	hYsUAQQA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1956	reg.exe
3876	reg.exe
1652	reg.exe
4056	reg.exe
3956	reg.exe
2496	reg.exe
3456	reg.exe
1688	reg.exe
4784	reg.exe
2396	reg.exe
3032	reg.exe
4980	reg.exe
2164	reg.exe
4884	reg.exe
2800	reg.exe
904	reg.exe
3816	reg.exe
2164	reg.exe
1040	reg.exe
1584	reg.exe
3652	reg.exe
2416	reg.exe
1736	reg.exe
1324	reg.exe
3584	reg.exe
896	reg.exe
4040	reg.exe
3572	reg.exe
4408	reg.exe
2128	reg.exe
1316	reg.exe
5044	reg.exe
4360	reg.exe
3692	reg.exe
2056	reg.exe
2424	reg.exe
4336	reg.exe
2416	reg.exe
4980	reg.exe
2236	reg.exe
256	reg.exe
3372	reg.exe
2812	reg.exe
2952	reg.exe
1152	reg.exe
4972	reg.exe
4568	reg.exe
5112	reg.exe
4104	reg.exe
804	reg.exe
4636	reg.exe
1452	reg.exe
628	reg.exe
3156	reg.exe
1936	reg.exe
212	reg.exe
2176	reg.exe
2188	reg.exe
2364	reg.exe
1184	reg.exe
1812	reg.exe
5108	reg.exe
1428	reg.exe
4232	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1148	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1148	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1148	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
1148	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4676	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4676	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4676	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4676	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4288	cscript.exe
4288	cscript.exe
4288	cscript.exe
4288	cscript.exe
4796	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4796	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4796	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4796	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
2312	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
2312	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
2312	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
2312	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
984	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
984	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
984	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
984	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
544	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
544	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
544	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
544	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
3908	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
3908	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
3908	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
3908	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4576	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4576	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4576	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4576	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4416	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4416	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4416	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4416	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4588	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4588	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4588	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4588	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4168	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4168	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4168	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4168	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4636	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4636	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4636	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
4636	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
992	hYsUAQQA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe
992	hYsUAQQA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 992	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	80
PID 2344 wrote to memory of 992	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	80
PID 2344 wrote to memory of 992	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	80
PID 2344 wrote to memory of 4824	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	81
PID 2344 wrote to memory of 4824	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	81
PID 2344 wrote to memory of 4824	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	81
PID 2344 wrote to memory of 1540	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	83
PID 2344 wrote to memory of 1540	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	83
PID 2344 wrote to memory of 1540	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	83
PID 2344 wrote to memory of 1812	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	85
PID 2344 wrote to memory of 1812	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	85
PID 2344 wrote to memory of 1812	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	85
PID 2344 wrote to memory of 3652	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	91
PID 2344 wrote to memory of 3652	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	91
PID 2344 wrote to memory of 3652	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	91
PID 2344 wrote to memory of 4980	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	90
PID 2344 wrote to memory of 4980	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	90
PID 2344 wrote to memory of 4980	2344	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	90
PID 1540 wrote to memory of 1652	1540	cmd.exe	89
PID 1540 wrote to memory of 1652	1540	cmd.exe	89
PID 1540 wrote to memory of 1652	1540	cmd.exe	89
PID 1652 wrote to memory of 4964	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	92
PID 1652 wrote to memory of 4964	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	92
PID 1652 wrote to memory of 4964	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	92
PID 1652 wrote to memory of 4056	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	94
PID 1652 wrote to memory of 4056	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	94
PID 1652 wrote to memory of 4056	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	94
PID 1652 wrote to memory of 4052	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	96
PID 1652 wrote to memory of 4052	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	96
PID 1652 wrote to memory of 4052	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	96
PID 1652 wrote to memory of 3956	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	101
PID 1652 wrote to memory of 3956	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	101
PID 1652 wrote to memory of 3956	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	101
PID 1652 wrote to memory of 832	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	98
PID 1652 wrote to memory of 832	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	98
PID 1652 wrote to memory of 832	1652	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	98
PID 4964 wrote to memory of 4360	4964	cmd.exe	102
PID 4964 wrote to memory of 4360	4964	cmd.exe	102
PID 4964 wrote to memory of 4360	4964	cmd.exe	102
PID 832 wrote to memory of 380	832	cmd.exe	103
PID 832 wrote to memory of 380	832	cmd.exe	103
PID 832 wrote to memory of 380	832	cmd.exe	103
PID 4360 wrote to memory of 2832	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	104
PID 4360 wrote to memory of 2832	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	104
PID 4360 wrote to memory of 2832	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	104
PID 4360 wrote to memory of 1624	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	106
PID 4360 wrote to memory of 1624	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	106
PID 4360 wrote to memory of 1624	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	106
PID 4360 wrote to memory of 4612	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	114
PID 4360 wrote to memory of 4612	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	114
PID 4360 wrote to memory of 4612	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	114
PID 4360 wrote to memory of 2592	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	108
PID 4360 wrote to memory of 2592	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	108
PID 4360 wrote to memory of 2592	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	108
PID 4360 wrote to memory of 4200	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	109
PID 4360 wrote to memory of 4200	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	109
PID 4360 wrote to memory of 4200	4360	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	109
PID 2832 wrote to memory of 1148	2832	cmd.exe	112
PID 2832 wrote to memory of 1148	2832	cmd.exe	112
PID 2832 wrote to memory of 1148	2832	cmd.exe	112
PID 4200 wrote to memory of 916	4200	cmd.exe	115
PID 4200 wrote to memory of 916	4200	cmd.exe	115
PID 4200 wrote to memory of 916	4200	cmd.exe	115
PID 1148 wrote to memory of 4164	1148	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe	116

System policy modification 1 TTPs 20 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
"C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\EeQYMcgw\hYsUAQQA.exe
  "C:\Users\Admin\EeQYMcgw\hYsUAQQA.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:992
- C:\ProgramData\xiUAEsYM\PugYYEss.exe
  "C:\ProgramData\xiUAEsYM\PugYYEss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
    C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        8⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        10⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        11⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        12⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        14⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        16⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        18⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        20⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        22⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        24⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        26⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        28⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        30⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        32⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        33⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        34⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        36⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        37⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        38⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        39⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        40⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        41⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        42⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        43⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        44⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        45⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        46⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        47⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        48⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        49⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        50⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        51⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        52⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        53⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        54⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        55⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        56⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        57⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        58⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        59⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        60⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        61⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        62⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        63⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        64⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        65⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        66⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        67⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        68⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        70⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        71⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        72⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        73⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        74⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        75⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        76⤵
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        77⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        78⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        79⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        80⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        81⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        82⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        83⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        84⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        85⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        86⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        87⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        88⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        89⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        90⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        91⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        92⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        93⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        95⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        96⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        97⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        98⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        99⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        100⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        101⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        102⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        103⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        104⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        105⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        106⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        107⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        108⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        109⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        110⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        111⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        112⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        113⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        114⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        115⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        116⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        117⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        118⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        119⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        120⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        121⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        122⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        123⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        124⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        125⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        126⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        127⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        128⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        129⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        130⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        131⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        132⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        133⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        134⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        135⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        137⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        138⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        139⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        140⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        141⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        142⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        143⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        144⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        145⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        146⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        147⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        148⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        149⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        150⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        151⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        152⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        153⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        154⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        155⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3"
        156⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3
        157⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeMcAkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        156⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:3152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUcwoEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        154⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYckUQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        152⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSoYggks.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        150⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmIQAIsM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        148⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgQAcIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        146⤵
        
        PID:1820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giQQAcEw.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        144⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKQscoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        142⤵
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByoYIIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        140⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        UAC bypass
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAAAgcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        138⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKsoMQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        136⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAkMkQok.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        134⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmgUMMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        132⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwIYgMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        130⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmUAMEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        128⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\magUgYMA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        126⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqskUAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        124⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        UAC bypass
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmkUAkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        122⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmEwUoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        120⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUMckkg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        118⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYcgsoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        116⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAQsUgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        114⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMUswAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        112⤵
        
        PID:948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWkgIcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        110⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSMUcYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        108⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwYIkAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        106⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEcEEsws.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        104⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgoEMYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        102⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIsIUUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        100⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGEoAcck.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        98⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcoQwkcc.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        96⤵
        
        PID:1604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyIUgwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        94⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doYkIsQE.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        92⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bagwQsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        90⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqYsIkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        88⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOsAAAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        86⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqoEMUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        84⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaQkYAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaAkQckE.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        80⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyEoEIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        78⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEQcAAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        76⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKgkswMg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        74⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seMocEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        72⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEQAEowo.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        70⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogIosgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        68⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgwYMoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuUEIoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        64⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaIUUcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        62⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqsYMAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        60⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmwEQgMU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        58⤵
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCQUAMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        56⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CicoQgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        54⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fygUMUcY.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        52⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgkIYgws.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        50⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoEAIQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        48⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsQIAMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        46⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEcQAgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        44⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEUwokAg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        42⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icIsgIMM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        40⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWEUckYo.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        38⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOYYwYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        36⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAoUgEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        34⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biIYUkUM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        32⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiUwIckM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        30⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        UAC bypass
        
        PID:624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QewgMUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        28⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyckokok.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        26⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUkQMsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        24⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqEsEwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        22⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiMcwoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        20⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEQUscIw.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        18⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGkcsMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        16⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoEYQkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        14⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MegkYggw.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        12⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgIIMcEs.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        10⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQcAwscY.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        8⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5032
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSIgQYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:916
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4612
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3672
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4052
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOskQAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3956
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1812
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSwkQcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3.exe""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:664

C:\ProgramData\eOgEkwEA\WMUAQIwI.exe
C:\ProgramData\eOgEkwEA\WMUAQIwI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4288

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eOgEkwEA\WMUAQIwI.exe

Filesize
479KB

MD5
a82e948bb286fb3533a1fc2d4f441afa

SHA1
063959ebc5620db4b96ffa002655643c3b1019cd

SHA256
dff1494599ef6b56e9d6ee926f61d60f48de43b46d2f90a8aff148367752aef1

SHA512
9b8169bedee8644f80fb2d1184699999621ba266fbd288453466f5308ffefd5ce2f4fa3588b812cc950dcaa2f43ea65ed04294cf04ab6364cde69973c29c9a32

Download Submit
C:\ProgramData\eOgEkwEA\WMUAQIwI.exe

Filesize
479KB

MD5
a82e948bb286fb3533a1fc2d4f441afa

SHA1
063959ebc5620db4b96ffa002655643c3b1019cd

SHA256
dff1494599ef6b56e9d6ee926f61d60f48de43b46d2f90a8aff148367752aef1

SHA512
9b8169bedee8644f80fb2d1184699999621ba266fbd288453466f5308ffefd5ce2f4fa3588b812cc950dcaa2f43ea65ed04294cf04ab6364cde69973c29c9a32

Download Submit
C:\ProgramData\xiUAEsYM\PugYYEss.exe

Filesize
477KB

MD5
cf360cce4e5c8dcdde7ff127f76e7867

SHA1
2dfb4b4c5f7546392f5e051dfab23e2e0d087293

SHA256
8c109fa4ffb7a61fa2a60e4da154f03eeb1ec1596858c4c33a679249a9302974

SHA512
2e1ba2a6c66187d724d5d9c45b38ed7958c5744823827999d4c38b4aa8bb86b0c2f251f5e828d90a1dcf00692f4c6caa59403e7a436024b533673d3e534224b3

Download Submit
C:\ProgramData\xiUAEsYM\PugYYEss.exe

Filesize
477KB

MD5
cf360cce4e5c8dcdde7ff127f76e7867

SHA1
2dfb4b4c5f7546392f5e051dfab23e2e0d087293

SHA256
8c109fa4ffb7a61fa2a60e4da154f03eeb1ec1596858c4c33a679249a9302974

SHA512
2e1ba2a6c66187d724d5d9c45b38ed7958c5744823827999d4c38b4aa8bb86b0c2f251f5e828d90a1dcf00692f4c6caa59403e7a436024b533673d3e534224b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b11bff0bfb4feff74237832ad6a32c50c48318f49fb3f40ad468d0eb57e9ff3

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiUwIckM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiMcwoAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOYYwYEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqEsEwEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MegkYggw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QewgMUgo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgIIMcEs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAoUgEwI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\biIYUkUM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUkQMsYc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQcAwscY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSIgQYsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\icIsgIMM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGkcsMoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOskQAwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lWEUckYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEQUscIw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyckokok.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoEYQkAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\EeQYMcgw\hYsUAQQA.exe

Filesize
477KB

MD5
45ebbe39c953895054fedd8ebf3d25fb

SHA1
58d0a1b28cba3b381febb2b220c3cfb7791191f2

SHA256
e295a8f1b0c273d32c083e3266d737f410a2f6af65cef98f2b190eeae31cd2a4

SHA512
c174ab91d45151a42ba4af54e784670f29e1c80105bec2d4b232b763e5d658b067d79906873cd14a679ee44f04f43334a4e13dea01fb320da8c75126a8d1cb03

Download Submit
C:\Users\Admin\EeQYMcgw\hYsUAQQA.exe

Filesize
477KB

MD5
45ebbe39c953895054fedd8ebf3d25fb

SHA1
58d0a1b28cba3b381febb2b220c3cfb7791191f2

SHA256
e295a8f1b0c273d32c083e3266d737f410a2f6af65cef98f2b190eeae31cd2a4

SHA512
c174ab91d45151a42ba4af54e784670f29e1c80105bec2d4b232b763e5d658b067d79906873cd14a679ee44f04f43334a4e13dea01fb320da8c75126a8d1cb03

Download Submit
memory/544-242-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/792-148-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/896-315-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/904-295-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/924-306-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/924-305-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/984-235-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/984-286-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/992-256-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/992-137-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1040-303-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1148-178-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1156-285-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1316-290-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1356-310-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1356-311-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1640-317-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1640-316-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1652-156-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1652-149-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1900-323-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1900-322-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2100-320-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2100-319-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2144-294-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2312-223-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2344-132-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2344-250-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2468-304-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2788-312-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3360-281-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3852-308-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3908-244-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3908-245-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3964-307-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4040-296-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4040-297-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4168-269-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4180-301-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4212-318-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4288-200-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4288-202-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4292-309-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4360-166-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4416-259-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4416-258-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4548-314-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4548-313-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4576-253-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4576-252-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4588-264-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4588-263-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4592-300-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4592-299-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4600-302-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4636-273-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4640-321-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4676-190-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4676-182-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4732-298-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4796-213-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4824-147-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4824-261-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5028-277-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download