f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Analysis

max time kernel
165s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
Size

479KB
MD5

84990874119ffc27dc7e782cfd2aef20
SHA1

fcf4325d2b7e4d971d746644c21210578c3eb85b
SHA256

f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
SHA512

9a3ae4f863569990f840715ffdfc041cc70c452dd1c09d7e1364bd100d298bd4242ef00241496b12574a8553a3a919ec7823a1984acd2a205fd60d30e5251506
SSDEEP

12288:IcqrueThJyjLR9EJ0KXEVbI3VjI7Gs81ArKlO:VcPLyjLR9EJVXqaRI7GcZ

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 49 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 49 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
5100	PUMAsUss.exe
2092	uiMMwcsI.exe
2416	VeIAIUkc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	uiMMwcsI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PUMAsUss.exe = "C:\\Users\\Admin\\wiIEoYwk\\PUMAsUss.exe"	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PUMAsUss.exe = "C:\\Users\\Admin\\wiIEoYwk\\PUMAsUss.exe"	PUMAsUss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uiMMwcsI.exe = "C:\\ProgramData\\KmgwsQMg\\uiMMwcsI.exe"	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uiMMwcsI.exe = "C:\\ProgramData\\KmgwsQMg\\uiMMwcsI.exe"	uiMMwcsI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uiMMwcsI.exe = "C:\\ProgramData\\KmgwsQMg\\uiMMwcsI.exe"	VeIAIUkc.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wiIEoYwk\PUMAsUss	VeIAIUkc.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	uiMMwcsI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\wiIEoYwk	VeIAIUkc.exe
File opened for modification	C:\Windows\SysWOW64\sheMergeStep.docx	uiMMwcsI.exe
File opened for modification	C:\Windows\SysWOW64\shePushLimit.docm	uiMMwcsI.exe
File opened for modification	C:\Windows\SysWOW64\sheRestorePush.png	uiMMwcsI.exe
File opened for modification	C:\Windows\SysWOW64\sheResumeMount.gif	uiMMwcsI.exe
File opened for modification	C:\Windows\SysWOW64\sheSuspendSave.rar	uiMMwcsI.exe
File opened for modification	C:\Windows\SysWOW64\sheInvokeMove.doc	uiMMwcsI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2436	reg.exe
2740	reg.exe
2456	reg.exe
4700	reg.exe
2764	reg.exe
4180	reg.exe
4484	reg.exe
4684	reg.exe
1660	reg.exe
2168	reg.exe
2164	reg.exe
3436	reg.exe
1708	reg.exe
3544	reg.exe
3536	reg.exe
3044	reg.exe
1444	reg.exe
312	reg.exe
2720	reg.exe
3920	reg.exe
3668	reg.exe
1904	reg.exe
2444	reg.exe
4800	reg.exe
4512	reg.exe
1072	reg.exe
3960	reg.exe
3580	reg.exe
4304	reg.exe
3040	reg.exe
1452	reg.exe
3252	reg.exe
4884	reg.exe
1452	reg.exe
1404	reg.exe
2444	reg.exe
1848	reg.exe
4712	reg.exe
4908	reg.exe
2848	reg.exe
4684	reg.exe
4916	reg.exe
2192	reg.exe
3396	reg.exe
4688	reg.exe
2272	reg.exe
3532	reg.exe
4620	reg.exe
4448	reg.exe
3764	reg.exe
3620	reg.exe
4396	reg.exe
4932	reg.exe
4388	reg.exe
712	reg.exe
3676	reg.exe
3996	reg.exe
4228	reg.exe
1768	reg.exe
1280	reg.exe
2932	reg.exe
3392	reg.exe
2108	reg.exe
1552	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2212	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2212	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2212	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2212	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4476	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4476	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4476	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4476	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2764	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2764	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2764	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2764	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
220	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
220	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
220	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
220	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3628	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3628	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3628	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3628	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1872	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1872	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1872	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1872	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3560	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3560	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3560	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
3560	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2356	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2356	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2356	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2356	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2060	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2060	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2060	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
2060	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
4028	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1132	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1132	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1132	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
1132	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2092	uiMMwcsI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe
2092	uiMMwcsI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 5100	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	81
PID 2820 wrote to memory of 5100	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	81
PID 2820 wrote to memory of 5100	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	81
PID 2820 wrote to memory of 2092	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	82
PID 2820 wrote to memory of 2092	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	82
PID 2820 wrote to memory of 2092	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	82
PID 2820 wrote to memory of 2368	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	84
PID 2820 wrote to memory of 2368	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	84
PID 2820 wrote to memory of 2368	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	84
PID 2820 wrote to memory of 2456	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	86
PID 2820 wrote to memory of 2456	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	86
PID 2820 wrote to memory of 2456	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	86
PID 2820 wrote to memory of 3504	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	88
PID 2820 wrote to memory of 3504	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	88
PID 2820 wrote to memory of 3504	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	88
PID 2820 wrote to memory of 3444	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	89
PID 2820 wrote to memory of 3444	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	89
PID 2820 wrote to memory of 3444	2820	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	89
PID 2368 wrote to memory of 2304	2368	cmd.exe	92
PID 2368 wrote to memory of 2304	2368	cmd.exe	92
PID 2368 wrote to memory of 2304	2368	cmd.exe	92
PID 2304 wrote to memory of 3660	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	93
PID 2304 wrote to memory of 3660	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	93
PID 2304 wrote to memory of 3660	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	93
PID 3660 wrote to memory of 4592	3660	cmd.exe	95
PID 3660 wrote to memory of 4592	3660	cmd.exe	95
PID 3660 wrote to memory of 4592	3660	cmd.exe	95
PID 2304 wrote to memory of 4512	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	96
PID 2304 wrote to memory of 4512	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	96
PID 2304 wrote to memory of 4512	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	96
PID 2304 wrote to memory of 4700	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	97
PID 2304 wrote to memory of 4700	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	97
PID 2304 wrote to memory of 4700	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	97
PID 2304 wrote to memory of 4104	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	99
PID 2304 wrote to memory of 4104	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	99
PID 2304 wrote to memory of 4104	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	99
PID 2304 wrote to memory of 1996	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	102
PID 2304 wrote to memory of 1996	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	102
PID 2304 wrote to memory of 1996	2304	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	102
PID 4592 wrote to memory of 8	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	105
PID 4592 wrote to memory of 8	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	105
PID 4592 wrote to memory of 8	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	105
PID 4592 wrote to memory of 1088	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	107
PID 4592 wrote to memory of 1088	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	107
PID 4592 wrote to memory of 1088	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	107
PID 4592 wrote to memory of 2932	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	110
PID 4592 wrote to memory of 2932	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	110
PID 4592 wrote to memory of 2932	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	110
PID 4592 wrote to memory of 4304	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	108
PID 4592 wrote to memory of 4304	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	108
PID 4592 wrote to memory of 4304	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	108
PID 4592 wrote to memory of 5108	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	112
PID 4592 wrote to memory of 5108	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	112
PID 4592 wrote to memory of 5108	4592	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	112
PID 8 wrote to memory of 2452	8	cmd.exe	116
PID 8 wrote to memory of 2452	8	cmd.exe	116
PID 8 wrote to memory of 2452	8	cmd.exe	116
PID 2452 wrote to memory of 2340	2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	117
PID 2452 wrote to memory of 2340	2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	117
PID 2452 wrote to memory of 2340	2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	117
PID 2340 wrote to memory of 2212	2340	cmd.exe	119
PID 2340 wrote to memory of 2212	2340	cmd.exe	119
PID 2340 wrote to memory of 2212	2340	cmd.exe	119
PID 2452 wrote to memory of 3460	2452	f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe	120

C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
"C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\wiIEoYwk\PUMAsUss.exe
  "C:\Users\Admin\wiIEoYwk\PUMAsUss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5100
- C:\ProgramData\KmgwsQMg\uiMMwcsI.exe
  "C:\ProgramData\KmgwsQMg\uiMMwcsI.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
    C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        10⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        12⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        14⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        16⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        18⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        20⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        22⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        24⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        26⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        28⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        30⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        32⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        33⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        34⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        35⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        36⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        37⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        38⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        39⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        40⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        41⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        42⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        43⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        44⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        45⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        46⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        47⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        48⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        49⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        50⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        51⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        52⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        53⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        54⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        55⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        56⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        57⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        58⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        59⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        60⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        61⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        62⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        63⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        64⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        65⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        66⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        67⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        68⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        69⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        70⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        71⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        72⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        73⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        74⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        75⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        76⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        77⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        78⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        79⤵
        
        PID:260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        80⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        81⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        82⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        83⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        84⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        85⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        86⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        87⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        88⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        89⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        90⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        91⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        92⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        93⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        94⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        95⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        96⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd
        97⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd"
        98⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsMgsggc.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        98⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COgIUUAw.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        96⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYIkwMEo.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        94⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dygwAQoE.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        92⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqEcsUMI.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        90⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEkIggUY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        88⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SscUscsA.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        86⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEAosAAc.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        84⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgIIckco.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        82⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMgwIoUI.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        80⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQoEkwsY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        78⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIMMIUAw.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        76⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOsYsscI.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        74⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKoggEMA.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        72⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSEcMUEw.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        70⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYIEcoIM.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        68⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeAYQoAs.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        66⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMYkgEEU.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        64⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEQoQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        62⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xScYgEMY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        60⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imYMwIcE.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        58⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkgwkAIk.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        56⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICMIQIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        54⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEcUsEEs.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        52⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoEoscYw.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        50⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uywQkYQU.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        48⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEsoIMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        46⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyYQokYY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        44⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYIwgoMc.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        42⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGgcooUg.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        40⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaMAUAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        38⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emUwAEAE.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        36⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYgIIQEM.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        34⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcEAoAYg.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        32⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQIcEYEY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        30⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmYUYUok.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        28⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWYUIMcg.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        26⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAgYIYwY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        24⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKMkkEgM.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        22⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiAQUQok.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        20⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwsIwYgU.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        18⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCUQscIA.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        16⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOQkQIgc.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        14⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYgAIYsM.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        12⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGIMkQYE.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        10⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGAoYAgY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        8⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3772
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4304
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkcUIIQY.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
        6⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4512
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWkoMgEk.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
      4⤵
      PID:1996
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3452
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQEgMMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd.exe""
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4676

C:\ProgramData\ZCMksYsw\VeIAIUkc.exe
C:\ProgramData\ZCMksYsw\VeIAIUkc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KmgwsQMg\uiMMwcsI.exe

Filesize
469KB

MD5
00c5463fa1217d06b533e62ed63898be

SHA1
fe4883902c84728c4180d944c9c2415a9310144a

SHA256
d998cae6e10cc2283db2caf3cda7db6cb566665c5f144d26f929b8152a0e19ca

SHA512
f9f7550f8e0c309f984dd4bc95086b92594fb1a9bbf2f91592e4c54acebcc8deae4ddc5d495150f2b711d30406f6759b85ef4b4c0a967b7a89821aa7b7b82526

Download Submit
C:\ProgramData\KmgwsQMg\uiMMwcsI.exe

Filesize
469KB

MD5
00c5463fa1217d06b533e62ed63898be

SHA1
fe4883902c84728c4180d944c9c2415a9310144a

SHA256
d998cae6e10cc2283db2caf3cda7db6cb566665c5f144d26f929b8152a0e19ca

SHA512
f9f7550f8e0c309f984dd4bc95086b92594fb1a9bbf2f91592e4c54acebcc8deae4ddc5d495150f2b711d30406f6759b85ef4b4c0a967b7a89821aa7b7b82526

Download Submit
C:\ProgramData\ZCMksYsw\VeIAIUkc.exe

Filesize
471KB

MD5
199cbbfa6f262174b4ae615095218147

SHA1
f1efe126c0ab805529ec5e9fa440d6d4a307631d

SHA256
743ddb852c176f0feb2195b862856be184040ac10d7919442ebebb7bab20c547

SHA512
727df23f567d9731fc31933ccaf5c9c7e40b24327f73027ae4d03c3fc8c95d2a885a6bec1ff886ea5f6789d68b017bd95c928addd3ab4d210106c1c02fc64af2

Download Submit
C:\ProgramData\ZCMksYsw\VeIAIUkc.exe

Filesize
471KB

MD5
199cbbfa6f262174b4ae615095218147

SHA1
f1efe126c0ab805529ec5e9fa440d6d4a307631d

SHA256
743ddb852c176f0feb2195b862856be184040ac10d7919442ebebb7bab20c547

SHA512
727df23f567d9731fc31933ccaf5c9c7e40b24327f73027ae4d03c3fc8c95d2a885a6bec1ff886ea5f6789d68b017bd95c928addd3ab4d210106c1c02fc64af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGAoYAgY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGIMkQYE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGgcooUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWYUIMcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKMkkEgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcEAoAYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCUQscIA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwsIwYgU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYgAIYsM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWkoMgEk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkcUIIQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YiAQUQok.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOQkQIgc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQIcEYEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\emUwAEAE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35eb025bd3e1a620c5339545fa3f66b971f98994d29a5fd28232e0f9559c4bd

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYIwgoMc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAgYIYwY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmYUYUok.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaMAUAEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYgIIQEM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\wiIEoYwk\PUMAsUss.exe

Filesize
470KB

MD5
28e78758090c1f91e174a4f1513d8bac

SHA1
2079abde661b5e9df3bf9317b3517fc4e1af3f23

SHA256
4f5429b568a21655ccf46991b089648650774357385e1b570eddc58f64786475

SHA512
31227beaf2eed2b30e193b772446756fc16e31b1b8c37a9eb947650a57f852d40f54a5fbfe4d38306f5c2937aa624e7706c1c20e49d33ce66adaaca579835407

Download Submit
C:\Users\Admin\wiIEoYwk\PUMAsUss.exe

Filesize
470KB

MD5
28e78758090c1f91e174a4f1513d8bac

SHA1
2079abde661b5e9df3bf9317b3517fc4e1af3f23

SHA256
4f5429b568a21655ccf46991b089648650774357385e1b570eddc58f64786475

SHA512
31227beaf2eed2b30e193b772446756fc16e31b1b8c37a9eb947650a57f852d40f54a5fbfe4d38306f5c2937aa624e7706c1c20e49d33ce66adaaca579835407

Download Submit
memory/220-223-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/220-214-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/260-322-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1132-271-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1132-269-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1292-283-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1336-285-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1336-288-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1416-300-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1500-315-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1556-323-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1872-249-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1872-247-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1892-293-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1892-295-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2060-321-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2060-262-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2092-275-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2092-142-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2120-310-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2120-309-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2212-185-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2212-174-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2224-311-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2240-292-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2304-156-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2356-258-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2356-256-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2416-276-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2416-143-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2452-173-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2764-213-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2820-233-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2820-132-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2980-317-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2980-316-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3028-236-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3028-240-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3188-313-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3320-307-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3560-251-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3588-306-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3628-301-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3628-243-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3628-237-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3844-308-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4028-266-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4040-305-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4040-304-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4048-303-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4128-312-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4132-318-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4360-278-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4360-279-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4476-194-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4476-201-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4592-157-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4592-164-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4648-319-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4648-320-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4656-314-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4944-302-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5100-268-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5100-136-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download