e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Size

542KB
MD5

8474d3bfa94cf0503791e95995d5ed90
SHA1

c6f2268051897fc2d870001f1a9cc07ebfa14a59
SHA256

e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
SHA512

969f212c08a6688082505b6c7b85ccbff07737ff89f767f7c587e2f4db9ba009fc9c1d67b8c8fa35826cede1791d338f8c9d69c32793cb203cf8aa70c8f17fa4
SSDEEP

12288:a5ZPbEtyeBMBukT+68lEeQOX/Y6TP6oC1Y0+J52IiyXTNug4ZmZTHRvHws8qaZEP:a5ZQtXBW7y3lTNvYaMKfn2FugDAFVHww

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 62 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
388	VkoIEUUU.exe
2024	oYMoIcAg.exe
4012	BEUYAQMM.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	oYMoIcAg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VkoIEUUU.exe = "C:\\Users\\Admin\\dicEYMEY\\VkoIEUUU.exe"	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oYMoIcAg.exe = "C:\\ProgramData\\CIsEYsEg\\oYMoIcAg.exe"	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VkoIEUUU.exe = "C:\\Users\\Admin\\dicEYMEY\\VkoIEUUU.exe"	VkoIEUUU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oYMoIcAg.exe = "C:\\ProgramData\\CIsEYsEg\\oYMoIcAg.exe"	oYMoIcAg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oYMoIcAg.exe = "C:\\ProgramData\\CIsEYsEg\\oYMoIcAg.exe"	BEUYAQMM.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheUnregisterFind.wma	oYMoIcAg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\dicEYMEY	BEUYAQMM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\dicEYMEY\VkoIEUUU	BEUYAQMM.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	oYMoIcAg.exe
File opened for modification	C:\Windows\SysWOW64\sheSelectRestore.mpg	oYMoIcAg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3120	reg.exe
4120	reg.exe
204	reg.exe
2548	reg.exe
4436	reg.exe
2768	reg.exe
2432	reg.exe
4080	reg.exe
4828	reg.exe
4560	reg.exe
2008	reg.exe
5104	reg.exe
3288	reg.exe
2688	reg.exe
1492	reg.exe
3020	reg.exe
4132	reg.exe
2220	reg.exe
4328	reg.exe
32	reg.exe
808	reg.exe
3012	reg.exe
4628	reg.exe
4440	reg.exe
64	reg.exe
4484	reg.exe
3304	reg.exe
3120	reg.exe
5080	reg.exe
868	reg.exe
2964	reg.exe
1488	reg.exe
4092	reg.exe
5068	reg.exe
4172	reg.exe
1904	reg.exe
4544	reg.exe
3888	reg.exe
3204	reg.exe
1088	reg.exe
4488	reg.exe
2220	reg.exe
2856	reg.exe
744	reg.exe
3580	reg.exe
4668	reg.exe
3708	reg.exe
1904	reg.exe
928	reg.exe
3008	reg.exe
4852	reg.exe
4828	reg.exe
2044	reg.exe
1272	reg.exe
3928	reg.exe
1348	reg.exe
1692	reg.exe
1088	reg.exe
1316	reg.exe
3924	reg.exe
1928	reg.exe
3120	reg.exe
4972	reg.exe
2016	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
5104	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
5104	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
5104	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
5104	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4480	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4480	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4480	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4480	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3472	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3472	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3472	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3472	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3888	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3888	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3888	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3888	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2752	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2752	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2752	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2752	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2868	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2868	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2868	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
2868	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1580	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1580	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1580	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1580	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3204	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3204	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3204	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3204	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4224	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4224	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4224	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4224	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1108	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1108	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1108	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
1108	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
3124	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4856	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4856	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4856	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
4856	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2024	oYMoIcAg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe
2024	oYMoIcAg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 388	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	84
PID 1336 wrote to memory of 388	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	84
PID 1336 wrote to memory of 388	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	84
PID 1336 wrote to memory of 2024	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	85
PID 1336 wrote to memory of 2024	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	85
PID 1336 wrote to memory of 2024	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	85
PID 1336 wrote to memory of 1980	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	87
PID 1336 wrote to memory of 1980	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	87
PID 1336 wrote to memory of 1980	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	87
PID 1980 wrote to memory of 2840	1980	cmd.exe	89
PID 1980 wrote to memory of 2840	1980	cmd.exe	89
PID 1980 wrote to memory of 2840	1980	cmd.exe	89
PID 1336 wrote to memory of 3752	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	90
PID 1336 wrote to memory of 3752	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	90
PID 1336 wrote to memory of 3752	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	90
PID 1336 wrote to memory of 3436	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	94
PID 1336 wrote to memory of 3436	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	94
PID 1336 wrote to memory of 3436	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	94
PID 1336 wrote to memory of 1704	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	92
PID 1336 wrote to memory of 1704	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	92
PID 1336 wrote to memory of 1704	1336	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	92
PID 2840 wrote to memory of 4008	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	96
PID 2840 wrote to memory of 4008	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	96
PID 2840 wrote to memory of 4008	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	96
PID 2840 wrote to memory of 3120	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	98
PID 2840 wrote to memory of 3120	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	98
PID 2840 wrote to memory of 3120	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	98
PID 2840 wrote to memory of 3304	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	100
PID 2840 wrote to memory of 3304	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	100
PID 2840 wrote to memory of 3304	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	100
PID 2840 wrote to memory of 4240	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	105
PID 2840 wrote to memory of 4240	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	105
PID 2840 wrote to memory of 4240	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	105
PID 2840 wrote to memory of 4420	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	101
PID 2840 wrote to memory of 4420	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	101
PID 2840 wrote to memory of 4420	2840	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	101
PID 4008 wrote to memory of 4356	4008	cmd.exe	106
PID 4008 wrote to memory of 4356	4008	cmd.exe	106
PID 4008 wrote to memory of 4356	4008	cmd.exe	106
PID 4420 wrote to memory of 2720	4420	cmd.exe	107
PID 4420 wrote to memory of 2720	4420	cmd.exe	107
PID 4420 wrote to memory of 2720	4420	cmd.exe	107
PID 4356 wrote to memory of 1288	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	108
PID 4356 wrote to memory of 1288	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	108
PID 4356 wrote to memory of 1288	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	108
PID 4356 wrote to memory of 3620	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	110
PID 4356 wrote to memory of 3620	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	110
PID 4356 wrote to memory of 3620	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	110
PID 4356 wrote to memory of 1904	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	111
PID 4356 wrote to memory of 1904	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	111
PID 4356 wrote to memory of 1904	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	111
PID 4356 wrote to memory of 3208	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	112
PID 4356 wrote to memory of 3208	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	112
PID 4356 wrote to memory of 3208	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	112
PID 4356 wrote to memory of 4924	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	116
PID 4356 wrote to memory of 4924	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	116
PID 4356 wrote to memory of 4924	4356	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	116
PID 1288 wrote to memory of 5104	1288	cmd.exe	118
PID 1288 wrote to memory of 5104	1288	cmd.exe	118
PID 1288 wrote to memory of 5104	1288	cmd.exe	118
PID 4924 wrote to memory of 4940	4924	cmd.exe	119
PID 4924 wrote to memory of 4940	4924	cmd.exe	119
PID 4924 wrote to memory of 4940	4924	cmd.exe	119
PID 5104 wrote to memory of 3292	5104	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe	120

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe

C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
"C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\dicEYMEY\VkoIEUUU.exe
  "C:\Users\Admin\dicEYMEY\VkoIEUUU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:388
- C:\ProgramData\CIsEYsEg\oYMoIcAg.exe
  "C:\ProgramData\CIsEYsEg\oYMoIcAg.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
    C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        8⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        10⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        12⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        14⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        16⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        18⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        20⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        22⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        24⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        26⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        28⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        30⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        32⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        33⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        34⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        35⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        36⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        37⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        38⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        39⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        40⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        41⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        42⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        43⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        44⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        45⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        46⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        47⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        48⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        49⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        50⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        51⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        52⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        54⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        55⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        56⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        57⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        58⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        59⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        60⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        61⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        63⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        64⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        65⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        66⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        67⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        68⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        69⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        70⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        71⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        72⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        73⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        74⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        75⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        76⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        77⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        78⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        79⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        80⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        81⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        82⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        83⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        84⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        85⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        86⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        87⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        88⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        89⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        90⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        91⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        92⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        93⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        94⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        95⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        96⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        97⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        98⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        99⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        100⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        101⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        102⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        103⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        105⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        106⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        107⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        108⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        109⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        110⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        111⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        112⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        113⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        114⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        115⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        116⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        117⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        118⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        119⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        120⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        121⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        122⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f"
        124⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f
        125⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAcoIMYc.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        124⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqUgwgoI.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        122⤵
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOkcEIAg.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        120⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCYkckYI.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        118⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haEskcMs.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        116⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMEckcws.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        114⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKkEIMgk.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        112⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SikcgEMw.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        110⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kokkYYEs.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        108⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccYMMIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        106⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgMgoQYw.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        104⤵
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkEUwwAg.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        102⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAoMEQUk.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        100⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIkYAEoY.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        98⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        UAC bypass
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsoggwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        96⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RowcQIUk.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        94⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWIsAAsA.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        92⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGwcUsEA.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        90⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awsAgAsY.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        88⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mikwAkIc.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        86⤵
        
        PID:3012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        UAC bypass
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUIQQsoM.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        84⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeMgYEAI.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        82⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ruccokwc.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        80⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQMIYIEA.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        78⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGEksscA.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        76⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkYcwYAU.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        74⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYQggkIk.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        72⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKsMAcQE.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        70⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQokcwEM.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        68⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqUMwIQo.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        66⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEoUEsgk.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        64⤵
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        UAC bypass
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYMwcYUM.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        62⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:1316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fycUgcYg.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        60⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIQYkwEo.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        58⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWwYsUoY.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        56⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omccgscE.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        54⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        UAC bypass
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pycgcowc.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        52⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyIMAEAw.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        50⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIkEMocs.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        48⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWwowkoY.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        46⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUUYAoEg.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        44⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoggUIgg.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        42⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkwMUEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        40⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwcgUIwI.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        38⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOYAYYMY.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        36⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hagEokQE.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        34⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\docEMMQk.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        32⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYAIIEoI.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        30⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGkgcksc.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        28⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuAAcUoc.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        26⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmIEIckA.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        24⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIsUooIE.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        22⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwAowwsU.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        20⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYMcMMYc.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        18⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAEQcIEA.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        16⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaMkgQEY.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        14⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIMoUgcg.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        12⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuAIwkwM.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        10⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSEsMAsU.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        8⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3620
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1904
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWUwUEIU.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMoYsEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3752
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgUcAEAU.bat" "C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f.exe""
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1248

C:\ProgramData\fCcgAUwI\BEUYAQMM.exe
C:\ProgramData\fCcgAUwI\BEUYAQMM.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CIsEYsEg\oYMoIcAg.exe

Filesize
434KB

MD5
e7f1c23c92711bdd708d649ee79eb4dc

SHA1
0130bcb01cc44bf9ef61b3cb4e322c3c220c44a4

SHA256
9b6e615d346ec3a8ac2d53a511da55018510333d2b46f367a61384a192ef6dbd

SHA512
00f5b6a6b91c597bb151a30707155c8e3f69920e3ce81120f6ed4003a632c096820a465104f30e83a0fe3310160a311ae5dbd7b4dd76482b91e33c211db40cf9

Download Submit
C:\ProgramData\CIsEYsEg\oYMoIcAg.exe

Filesize
434KB

MD5
e7f1c23c92711bdd708d649ee79eb4dc

SHA1
0130bcb01cc44bf9ef61b3cb4e322c3c220c44a4

SHA256
9b6e615d346ec3a8ac2d53a511da55018510333d2b46f367a61384a192ef6dbd

SHA512
00f5b6a6b91c597bb151a30707155c8e3f69920e3ce81120f6ed4003a632c096820a465104f30e83a0fe3310160a311ae5dbd7b4dd76482b91e33c211db40cf9

Download Submit
C:\ProgramData\fCcgAUwI\BEUYAQMM.exe

Filesize
433KB

MD5
b8ff794a2239c02131677d45a2437e7d

SHA1
6d113d54c93f8fb16f56e489e1e93a541a1d9b05

SHA256
18a25d2042eca714ed17daa7991781f65b4358b87970887d001639c96bed8ca4

SHA512
28cd4ab5a27bdd017d92ad6275b421fa8fc02334db5128d0d7266b0e1a3a77d49e7040b831e846e1a98ccac3539f9b9abcd047cc3cb7451c729cbd3bbdedaa47

Download Submit
C:\ProgramData\fCcgAUwI\BEUYAQMM.exe

Filesize
433KB

MD5
b8ff794a2239c02131677d45a2437e7d

SHA1
6d113d54c93f8fb16f56e489e1e93a541a1d9b05

SHA256
18a25d2042eca714ed17daa7991781f65b4358b87970887d001639c96bed8ca4

SHA512
28cd4ab5a27bdd017d92ad6275b421fa8fc02334db5128d0d7266b0e1a3a77d49e7040b831e846e1a98ccac3539f9b9abcd047cc3cb7451c729cbd3bbdedaa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuAAcUoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuAIwkwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOYAYYMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwAowwsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWUwUEIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkwMUEYQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwcgUIwI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YaMkgQEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZSEsMAsU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\docEMMQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0503657edff47af6c9bb45750bf8ce22e30119ccee49b99636267342ce4756f

Filesize
103KB

MD5
b44a59383b3123a747d139bd0e71d2df

SHA1
ca6ec835bffff37e28896df424db5559012d48b6

SHA256
553d0e053fe0af1b5c9886305fd34c46c5e122e6dc356891929bdae3712fe76b

SHA512
eb30c088cb600d3591cca19ea273f80519d8cb1b12f6fea4e036cd4dbd46964e904db5f69ff930d1bc932369b89fa4390a9d284bfc1a89ec28a0e3008e2c4313

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYAIIEoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYMcMMYc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMoYsEsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hagEokQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIMoUgcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAEQcIEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGkgcksc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmIEIckA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIsUooIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\dicEYMEY\VkoIEUUU.exe

Filesize
436KB

MD5
ae345059743caf3787f5ea04e607b062

SHA1
e569152a32862203ae0debc7ea60a7bd6f84103e

SHA256
59dbcfeb2dcf0abac0ca45fc8073f0a71f4c8792c6d67924fbedb3edca994ac1

SHA512
0be132abeffed0176fc61c7396e30b00d8e041b16a6bac5ea2c381d209a1b45fce2e1c59874acd9a990f06d1ea94ee3f7cd5a09e120b612855bc952863bafe14

Download Submit
C:\Users\Admin\dicEYMEY\VkoIEUUU.exe

Filesize
436KB

MD5
ae345059743caf3787f5ea04e607b062

SHA1
e569152a32862203ae0debc7ea60a7bd6f84103e

SHA256
59dbcfeb2dcf0abac0ca45fc8073f0a71f4c8792c6d67924fbedb3edca994ac1

SHA512
0be132abeffed0176fc61c7396e30b00d8e041b16a6bac5ea2c381d209a1b45fce2e1c59874acd9a990f06d1ea94ee3f7cd5a09e120b612855bc952863bafe14

Download Submit
memory/388-270-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/388-147-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/816-290-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/888-285-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1064-320-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1076-315-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1088-303-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1088-304-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1108-262-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1336-269-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1336-135-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1336-309-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1580-249-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1580-300-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2008-302-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2024-276-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2024-149-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2076-321-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2228-313-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2228-312-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2248-298-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2392-311-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2476-295-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2476-291-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2664-301-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2752-238-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2840-159-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2868-245-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3124-266-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3204-253-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3372-310-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3372-308-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3372-299-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3460-318-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3460-319-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3472-215-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3580-314-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3820-277-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3888-220-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3888-227-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3980-325-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3988-324-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4012-151-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4124-183-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4124-190-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4172-322-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4172-323-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4212-317-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4224-256-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4224-258-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4228-282-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4284-297-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4284-296-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4356-170-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4356-167-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4440-305-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4440-306-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4460-326-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4480-203-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4668-316-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4780-307-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-273-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-272-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5104-182-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download