625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Analysis

max time kernel
115s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
Size

486KB
MD5

850e53749b5da616d21bce97e92c2d90
SHA1

763d2fe2d983289c403cc88554c23f2f19d58499
SHA256

625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
SHA512

fb8536726ad34d25a130ca5cafab8b8218e0fa857835a3d794bfaa4b1172d1f3cbdd95d7f511069443e2b1eaacef40ae678352ae0e9662cf97de7792a9077b9f
SSDEEP

12288:mPPbulHLsM5XOTLzEoYsh69mY0oQHjtSv+Tslc:YPYsaGLI6o505UvU

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\aIIEscco\\wuUIsMIY.exe,"	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\aIIEscco\\wuUIsMIY.exe,"	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe

Modifies visibility of file extensions in Explorer 2 TTPs 43 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1332	oUMEMIkE.exe
660	wuUIsMIY.exe
1532	eqsQkUcQ.exe

Loads dropped DLL 22 IoCs

pid	Process
948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe
660	wuUIsMIY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\oUMEMIkE.exe = "C:\\Users\\Admin\\HeAAcsYA\\oUMEMIkE.exe"	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuUIsMIY.exe = "C:\\ProgramData\\aIIEscco\\wuUIsMIY.exe"	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\oUMEMIkE.exe = "C:\\Users\\Admin\\HeAAcsYA\\oUMEMIkE.exe"	oUMEMIkE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuUIsMIY.exe = "C:\\ProgramData\\aIIEscco\\wuUIsMIY.exe"	wuUIsMIY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuUIsMIY.exe = "C:\\ProgramData\\aIIEscco\\wuUIsMIY.exe"	eqsQkUcQ.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HeAAcsYA	eqsQkUcQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HeAAcsYA\oUMEMIkE	eqsQkUcQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
304	reg.exe
1068	reg.exe
1620	reg.exe
992	reg.exe
2624	reg.exe
2156	reg.exe
1160	reg.exe
1772	reg.exe
3044	reg.exe
2652	reg.exe
544	reg.exe
1240	reg.exe
1072	reg.exe
2124	reg.exe
1808	reg.exe
836	reg.exe
824	reg.exe
1988	reg.exe
1100	reg.exe
1500	reg.exe
1556	reg.exe
1320	reg.exe
2992	reg.exe
2844	reg.exe
1116	reg.exe
1012	reg.exe
276	reg.exe
2108	reg.exe
2984	reg.exe
280	reg.exe
1100	reg.exe
896	reg.exe
1808	reg.exe
544	reg.exe
1748	reg.exe
332	reg.exe
800	reg.exe
840	reg.exe
1464	reg.exe
2408	reg.exe
2068	reg.exe
2276	reg.exe
1716	reg.exe
1692	reg.exe
276	reg.exe
2816	reg.exe
792	reg.exe
2504	reg.exe
472	reg.exe
1796	reg.exe
1096	reg.exe
2824	reg.exe
2904	reg.exe
1816	reg.exe
1988	reg.exe
1976	reg.exe
240	reg.exe
1096	reg.exe
2808	reg.exe
828	reg.exe
1916	reg.exe
1616	reg.exe
1716	reg.exe
1976	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1984	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1984	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1104	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1104	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1556	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1556	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1620	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1620	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1636	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1636	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
436	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
436	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1260	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1260	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1364	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1364	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1116	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1116	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1520	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1520	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
964	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
964	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
800	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
800	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
276	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
276	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1276	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1276	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1944	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1944	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
980	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
980	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1556	Process not Found
1556	Process not Found
1668	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1668	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
924	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
924	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1096	cmd.exe
1096	cmd.exe
1972	cmd.exe
1972	cmd.exe
1716	reg.exe
1716	reg.exe
320	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
320	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1244	cscript.exe
1244	cscript.exe
1976	reg.exe
1976	reg.exe
692	cscript.exe
692	cscript.exe
240	reg.exe
240	reg.exe
1500	cmd.exe
1500	cmd.exe
1916	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1916	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1452	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
1452	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1332	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	27
PID 948 wrote to memory of 1332	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	27
PID 948 wrote to memory of 1332	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	27
PID 948 wrote to memory of 1332	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	27
PID 948 wrote to memory of 660	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	28
PID 948 wrote to memory of 660	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	28
PID 948 wrote to memory of 660	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	28
PID 948 wrote to memory of 660	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	28
PID 948 wrote to memory of 572	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	30
PID 948 wrote to memory of 572	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	30
PID 948 wrote to memory of 572	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	30
PID 948 wrote to memory of 572	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	30
PID 572 wrote to memory of 344	572	cmd.exe	32
PID 572 wrote to memory of 344	572	cmd.exe	32
PID 572 wrote to memory of 344	572	cmd.exe	32
PID 572 wrote to memory of 344	572	cmd.exe	32
PID 948 wrote to memory of 824	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	33
PID 948 wrote to memory of 824	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	33
PID 948 wrote to memory of 824	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	33
PID 948 wrote to memory of 824	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	33
PID 948 wrote to memory of 792	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	34
PID 948 wrote to memory of 792	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	34
PID 948 wrote to memory of 792	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	34
PID 948 wrote to memory of 792	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	34
PID 948 wrote to memory of 840	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	36
PID 948 wrote to memory of 840	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	36
PID 948 wrote to memory of 840	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	36
PID 948 wrote to memory of 840	948	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	36
PID 344 wrote to memory of 1988	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	39
PID 344 wrote to memory of 1988	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	39
PID 344 wrote to memory of 1988	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	39
PID 344 wrote to memory of 1988	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	39
PID 1988 wrote to memory of 1984	1988	cmd.exe	41
PID 1988 wrote to memory of 1984	1988	cmd.exe	41
PID 1988 wrote to memory of 1984	1988	cmd.exe	41
PID 1988 wrote to memory of 1984	1988	cmd.exe	41
PID 344 wrote to memory of 828	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	42
PID 344 wrote to memory of 828	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	42
PID 344 wrote to memory of 828	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	42
PID 344 wrote to memory of 828	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	42
PID 344 wrote to memory of 1636	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	43
PID 344 wrote to memory of 1636	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	43
PID 344 wrote to memory of 1636	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	43
PID 344 wrote to memory of 1636	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	43
PID 344 wrote to memory of 1160	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	45
PID 344 wrote to memory of 1160	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	45
PID 344 wrote to memory of 1160	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	45
PID 344 wrote to memory of 1160	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	45
PID 344 wrote to memory of 1084	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	48
PID 344 wrote to memory of 1084	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	48
PID 344 wrote to memory of 1084	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	48
PID 344 wrote to memory of 1084	344	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	48
PID 1984 wrote to memory of 1320	1984	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	49
PID 1984 wrote to memory of 1320	1984	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	49
PID 1984 wrote to memory of 1320	1984	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	49
PID 1984 wrote to memory of 1320	1984	625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe	49
PID 1320 wrote to memory of 1104	1320	cmd.exe	52
PID 1320 wrote to memory of 1104	1320	cmd.exe	52
PID 1320 wrote to memory of 1104	1320	cmd.exe	52
PID 1320 wrote to memory of 1104	1320	cmd.exe	52
PID 1084 wrote to memory of 1908	1084	cmd.exe	53
PID 1084 wrote to memory of 1908	1084	cmd.exe	53
PID 1084 wrote to memory of 1908	1084	cmd.exe	53
PID 1084 wrote to memory of 1908	1084	cmd.exe	53

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
"C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\HeAAcsYA\oUMEMIkE.exe
  "C:\Users\Admin\HeAAcsYA\oUMEMIkE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1332
- C:\ProgramData\aIIEscco\wuUIsMIY.exe
  "C:\ProgramData\aIIEscco\wuUIsMIY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
    C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        8⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        10⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        12⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        14⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        16⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        18⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        20⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        22⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        24⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        26⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        28⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        30⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        32⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        34⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        36⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        37⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        38⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        40⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        42⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        43⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        44⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        45⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        46⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        47⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        48⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        50⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        51⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        52⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        54⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        55⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        56⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        57⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        58⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        59⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        60⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        62⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        64⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        65⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        66⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        67⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        68⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        69⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        70⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        71⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        72⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        73⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        74⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        75⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        76⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        77⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        78⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        79⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        80⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        81⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        82⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        83⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        84⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        85⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        86⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        87⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        88⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        89⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        90⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        91⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        92⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        93⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        94⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        95⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        97⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        98⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        99⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        100⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        101⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        102⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        103⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        104⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        105⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        106⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        107⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        108⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        109⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        110⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        111⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        112⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        113⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        114⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        115⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        116⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        117⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        118⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        119⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        120⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        121⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c"
        122⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe
        
        C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c
        123⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kAEwQoUg.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        122⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKwQkAEE.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        120⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsIQocwA.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        118⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoMYUEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        116⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaMYUgcc.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        114⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYMUcEgg.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        112⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\puUskgUg.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        110⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUEgUQYM.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        108⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSQIIsYM.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        106⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUEAgMMg.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        104⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOwsoEYc.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        102⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dwkUQgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        100⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGEYEIQo.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XKkcsQgU.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        96⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OioYUQQE.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        94⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCAYUUEk.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        92⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQUsAEMY.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        90⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWEEgQok.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        88⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GccEYUQw.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        86⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiAAowEc.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        84⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ggEMgcUo.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        82⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWwYYoQs.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        80⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LaMggkQY.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        78⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQIYQMsY.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oecAgYYI.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        74⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKQEwUYI.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        72⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwYcAAwU.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        70⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwAcsYQo.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        68⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugwoEkIM.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        66⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGQwwQUo.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        64⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HQIIsAgc.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        62⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gSMEksEs.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        60⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMYowQIk.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        58⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGwAQgMs.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        56⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\losQgEYc.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        54⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VuEsEock.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        52⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaYwksYw.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        50⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oEswIAcg.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        48⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYAkUgoE.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        46⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vowAAIso.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        44⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kuIcckIo.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        42⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGQgMEsE.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        40⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQAkgEYs.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        38⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGUMIoUU.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        36⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCUEkgUs.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        34⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciMkAcME.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        32⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwIMYcQg.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        30⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwgEcoEg.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        28⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUkwgMwU.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        26⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCkYcsIY.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        24⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcAUosUA.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        22⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\usoQAocM.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        20⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwsQMgws.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        18⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUMIkkYY.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        16⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQoUAMoE.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        14⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQgQMsQU.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        12⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqssMoQY.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        10⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zAcYoUAs.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        8⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1212
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1716
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCEYkwIo.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
        6⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\cWYgokcY.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:824
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:792
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWMkQscs.bat" "C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c.exe""
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1956

C:\ProgramData\RMYcIcYM\eqsQkUcQ.exe
C:\ProgramData\RMYcIcYM\eqsQkUcQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2035069175-11705125713341284391590647288290472809433426060-6532767861284849154"
1⤵
- UAC bypass
PID:472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "46254617-1501963910-642054283152591745310596588181529406915-1361640941520908238"
1⤵
- UAC bypass
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1416019652-13763580532000917218-52515202652502102463925594-13802688281147282488"
1⤵
PID:1156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-84834473115784272601846688185159685533-17266777041954717178955647931884250925"
1⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1139154921-3413331021950729151489507908716224021-1494356263-1632589369-1133906561"
1⤵
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "199418381-6741111771941869882-113226640415680679116287726815225175311342133116"
1⤵
PID:1276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2019762605-1419675151-1201882000-20461756361115995771-5568136801936471264-735391966"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-567472330339665343-404247458-918291628-2110556195733959870-1410797057139484665"
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "56221868212459568991307765867497906456-43169335-1696316413-741840699-1121897048"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "449169084478055692-2675508061502951412-440190272-473601167-941340702897007551"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1600612568-7739597321060361164-1461519720-3703332071653587629-1721809612485880091"
1⤵
PID:1572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-711287105-181756396620851205812126263296990079870-16222539831324598839-1801539188"
1⤵
PID:1156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60509321310384956815064907891983998352-1336728453-1189196855-13290105361411133928"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1376484365-183135967710858736981116388191-1090436684-12844262799878753551200161314"
1⤵
- UAC bypass
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2495872601707875354250201735-1865921115-74083615716555562401671715675-1354191071"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4953273721694030346499100814-199173159294020958466853002-505454476-656056625"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15947156333046141751353661161-3129334921081620844-707922308-12532176531085468209"
1⤵
- Modifies visibility of file extensions in Explorer
PID:800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1295700181-576147767736394053746023898105430630720876980581112098283-1389541405"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1500622501969409055-633101727-158060196-1358126188-2103949285-924017991501101798"
1⤵
- UAC bypass
PID:276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-722759503397414247-142366862-502477135-1235382089-967838649483472529-1800798413"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2019140469-5559688-1321396568571754142204703664517353044748710923581542431572"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1766857577-1793015973-69992660-20510370836261458081926606545-15989013431537633195"
1⤵
PID:1904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "180774502240768623417682242396955023801233734738-1828225371-1979357690400989256"
1⤵
- UAC bypass
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1586634219-13123458078684085241634032056262701883630480900-1654009426-1523000365"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "220579036-973501394809184618769645504-1849017464-1579911297-1686683325740144379"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "694047589-204160539697947434010165943531793073384-972000783308748778-1060057180"
1⤵
- UAC bypass
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-85161151610342392341477697659-1300764253-1164575295297764589-77225030-1936209078"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1772776480-87443683767832733853826884-1584237861304118060-1792806221434621262"
1⤵
PID:1680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1512866839-129404457-1051934108-1152747048-990229661-1223044328-1234387556749191814"
1⤵
- UAC bypass
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1473662999195946292-15665188541177572622-1290837785-1431051455-293402586-2064440334"
1⤵
- UAC bypass
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1608025701109702256-1852244447423213642-1306040889-700062877-196217157-1923965803"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12157009512144585066-1462130948-1963809122-1522085561-7058992431919831254423151433"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-100599081114737138341836919775872571756174686098612869871285031136351289677049"
1⤵
- UAC bypass
PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RMYcIcYM\eqsQkUcQ.exe

Filesize
477KB

MD5
6ff1cff162888f7741a20f3f36725836

SHA1
a27a7d66c73c0c7ae6d88a97633433c7f0b59a85

SHA256
a33086fcb5b84fddfab3ed174a5c8199deecdeaf0667a8fcd645542829bf0570

SHA512
308866c835ced8b56051c09513ee24a87e7e471ac5085b09a7fb08c230e90f990ea4fdf8657c2516ec95971c16683e4b84475a9b0ff14b2cad39b0b0cefbbe6f

Download Submit
C:\ProgramData\aIIEscco\wuUIsMIY.exe

Filesize
482KB

MD5
fff286849f98554421112f6f96b9f26e

SHA1
0a6e9d9473d8bba39e53ac466322dc31ff0a14be

SHA256
d6461f25e5f0363308f69dd0b7f6bc97238575497aeb5354970f7ee7956c23e8

SHA512
99e50ecde4188fb1cdae74ae2fc2a4a5244c99a80d5b1bd8cda863885c25459a295b24e34215a4c0a080e1ec56dc78bc4bf1246c71e731e144555aa4dda5babf

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\625bae212bda0eca7e799b884ae6970b27a66f3200caa79f89acb359edc7366c

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCEYkwIo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwIMYcQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwgEcoEg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQgQMsQU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWMkQscs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcAUosUA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwsQMgws.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGUMIoUU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWYgokcY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciMkAcME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQAkgEYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCkYcsIY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqssMoQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMIkkYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUkwgMwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\usoQAocM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAcYoUAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCUEkgUs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQoUAMoE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\HeAAcsYA\oUMEMIkE.exe

Filesize
481KB

MD5
ac2ab5743cb80a80c68ae0e1cfe50738

SHA1
48ff37ed2c0325f7195da0952de498768f7d0910

SHA256
82d7f585dae01b21d352af2e03b4a085eaf03df59cfbd922cf324a7528ed3afb

SHA512
5262fbc144acbd9ea576e4e1e01c15b5fdf9f864938c56b1df5d108341df1412164f28a121894209b528525defa7bb4dbe059ed02bca80815485653ac09cf901

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\aIIEscco\wuUIsMIY.exe

Filesize
482KB

MD5
fff286849f98554421112f6f96b9f26e

SHA1
0a6e9d9473d8bba39e53ac466322dc31ff0a14be

SHA256
d6461f25e5f0363308f69dd0b7f6bc97238575497aeb5354970f7ee7956c23e8

SHA512
99e50ecde4188fb1cdae74ae2fc2a4a5244c99a80d5b1bd8cda863885c25459a295b24e34215a4c0a080e1ec56dc78bc4bf1246c71e731e144555aa4dda5babf

Download Submit
\ProgramData\aIIEscco\wuUIsMIY.exe

Filesize
482KB

MD5
fff286849f98554421112f6f96b9f26e

SHA1
0a6e9d9473d8bba39e53ac466322dc31ff0a14be

SHA256
d6461f25e5f0363308f69dd0b7f6bc97238575497aeb5354970f7ee7956c23e8

SHA512
99e50ecde4188fb1cdae74ae2fc2a4a5244c99a80d5b1bd8cda863885c25459a295b24e34215a4c0a080e1ec56dc78bc4bf1246c71e731e144555aa4dda5babf

Download Submit
\Users\Admin\HeAAcsYA\oUMEMIkE.exe

Filesize
481KB

MD5
ac2ab5743cb80a80c68ae0e1cfe50738

SHA1
48ff37ed2c0325f7195da0952de498768f7d0910

SHA256
82d7f585dae01b21d352af2e03b4a085eaf03df59cfbd922cf324a7528ed3afb

SHA512
5262fbc144acbd9ea576e4e1e01c15b5fdf9f864938c56b1df5d108341df1412164f28a121894209b528525defa7bb4dbe059ed02bca80815485653ac09cf901

Download Submit
\Users\Admin\HeAAcsYA\oUMEMIkE.exe

Filesize
481KB

MD5
ac2ab5743cb80a80c68ae0e1cfe50738

SHA1
48ff37ed2c0325f7195da0952de498768f7d0910

SHA256
82d7f585dae01b21d352af2e03b4a085eaf03df59cfbd922cf324a7528ed3afb

SHA512
5262fbc144acbd9ea576e4e1e01c15b5fdf9f864938c56b1df5d108341df1412164f28a121894209b528525defa7bb4dbe059ed02bca80815485653ac09cf901

Download Submit
memory/240-298-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/276-222-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/276-232-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/320-282-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/320-284-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/344-77-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/344-89-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/436-156-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/436-189-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/660-176-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/660-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/692-294-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/692-297-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/800-225-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/800-218-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/924-269-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/924-265-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/948-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/948-145-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/948-244-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/948-54-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/964-224-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/964-212-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/980-251-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/980-243-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1096-272-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1096-270-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1104-106-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1104-113-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1116-208-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1116-196-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1244-286-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1244-289-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1260-167-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1260-197-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1276-238-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1276-231-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1332-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1332-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1364-203-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1364-185-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1520-213-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1520-202-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1532-184-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1532-70-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1556-258-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1556-107-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1556-135-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1556-253-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1620-130-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1620-149-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1636-147-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1636-168-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1668-260-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1668-266-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1716-280-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1716-278-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1944-237-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1944-245-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1972-277-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1972-274-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1976-290-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1976-292-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1984-85-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1984-99-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download