3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Size

506KB
MD5

22ea7d2e93ff8eb95fb461c9bd495e30
SHA1

ea76ca9758f7eddb0f4654e078f7613403d02bc9
SHA256

3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
SHA512

a2e39f9ec4030893ed2470365516ffe56db7560a6da0a147d72d134a1e33d898b4c12bae023c2d7860dbc424b318cca3b83790b5fccc590a7a67caa9fdce62e0
SSDEEP

12288:/enUy798MPK9C/AAANyd3OqIPx9dzztgm8rjOmSYZIQIb:2nUy798MEC/+qIP/dkjDZzIb

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4592	wqwkQYwU.exe
220	VkUMAUMw.exe
3856	RSscEgwg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wqwkQYwU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KYcYYcww.exe = "C:\\ProgramData\\DasMMQUI\\KYcYYcww.exe"	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqwkQYwU.exe = "C:\\Users\\Admin\\boIcsYwI\\wqwkQYwU.exe"	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VkUMAUMw.exe = "C:\\ProgramData\\ZcYcMEEo\\VkUMAUMw.exe"	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wqwkQYwU.exe = "C:\\Users\\Admin\\boIcsYwI\\wqwkQYwU.exe"	wqwkQYwU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VkUMAUMw.exe = "C:\\ProgramData\\ZcYcMEEo\\VkUMAUMw.exe"	VkUMAUMw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VkUMAUMw.exe = "C:\\ProgramData\\ZcYcMEEo\\VkUMAUMw.exe"	RSscEgwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FYYQgIYw.exe = "C:\\Users\\Admin\\USAkUkgA\\FYYQgIYw.exe"	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\boIcsYwI	RSscEgwg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\boIcsYwI\wqwkQYwU	RSscEgwg.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	wqwkQYwU.exe
File opened for modification	C:\Windows\SysWOW64\sheSendLimit.jpg	wqwkQYwU.exe
File opened for modification	C:\Windows\SysWOW64\sheUpdateFormat.xls	wqwkQYwU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3912	8	WerFault.exe	288
4816	3244	WerFault.exe	291
2008	4476	WerFault.exe	289

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4040	reg.exe
2312	reg.exe
1156	reg.exe
4348	reg.exe
3156	reg.exe
5048	reg.exe
2344	reg.exe
2700	reg.exe
3204	reg.exe
1044	reg.exe
1160	reg.exe
3340	reg.exe
1856	reg.exe
904	reg.exe
4960	reg.exe
2848	reg.exe
1700	reg.exe
2044	reg.exe
2940	reg.exe
3156	reg.exe
2256	reg.exe
3608	reg.exe
3116	reg.exe
4948	reg.exe
1404	reg.exe
3880	reg.exe
4172	reg.exe
3528	reg.exe
3012	reg.exe
316	reg.exe
2688	reg.exe
3608	reg.exe
3576	reg.exe
2812	reg.exe
2700	reg.exe
4340	reg.exe
4632	reg.exe
4680	reg.exe
1240	reg.exe
2168	reg.exe
4368	reg.exe
880	reg.exe
4912	reg.exe
4736	reg.exe
1592	reg.exe
3700	reg.exe
1528	reg.exe
2488	reg.exe
1484	reg.exe
8	reg.exe
4224	reg.exe
1176	reg.exe
1796	reg.exe
1996	reg.exe
1412	reg.exe
4568	reg.exe
2136	reg.exe
1148	reg.exe
4276	reg.exe
3608	reg.exe
1820	reg.exe
4336	reg.exe
3492	reg.exe
1752	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3488	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3488	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3488	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3488	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3768	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3768	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3768	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3768	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
2912	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
2912	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
2912	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
2912	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4368	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4368	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4368	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4368	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1824	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1824	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1824	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1824	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4008	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4008	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4008	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4008	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4332	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4332	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4332	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4332	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
100	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
100	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
100	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
100	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3544	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3544	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3544	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3544	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1528	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1528	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1528	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
1528	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
3380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4808	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4808	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4808	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
4808	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4592	wqwkQYwU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe
4592	wqwkQYwU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4592	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	84
PID 4380 wrote to memory of 4592	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	84
PID 4380 wrote to memory of 4592	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	84
PID 4380 wrote to memory of 220	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	85
PID 4380 wrote to memory of 220	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	85
PID 4380 wrote to memory of 220	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	85
PID 4380 wrote to memory of 4256	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	87
PID 4380 wrote to memory of 4256	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	87
PID 4380 wrote to memory of 4256	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	87
PID 4380 wrote to memory of 1888	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	89
PID 4380 wrote to memory of 1888	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	89
PID 4380 wrote to memory of 1888	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	89
PID 4380 wrote to memory of 4428	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	94
PID 4380 wrote to memory of 4428	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	94
PID 4380 wrote to memory of 4428	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	94
PID 4380 wrote to memory of 2728	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	93
PID 4380 wrote to memory of 2728	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	93
PID 4380 wrote to memory of 2728	4380	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	93
PID 4256 wrote to memory of 1136	4256	cmd.exe	91
PID 4256 wrote to memory of 1136	4256	cmd.exe	91
PID 4256 wrote to memory of 1136	4256	cmd.exe	91
PID 1136 wrote to memory of 4680	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	96
PID 1136 wrote to memory of 4680	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	96
PID 1136 wrote to memory of 4680	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	96
PID 1136 wrote to memory of 3076	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	98
PID 1136 wrote to memory of 3076	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	98
PID 1136 wrote to memory of 3076	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	98
PID 1136 wrote to memory of 4568	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	100
PID 1136 wrote to memory of 4568	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	100
PID 1136 wrote to memory of 4568	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	100
PID 1136 wrote to memory of 4384	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	102
PID 1136 wrote to memory of 4384	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	102
PID 1136 wrote to memory of 4384	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	102
PID 1136 wrote to memory of 2036	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	103
PID 1136 wrote to memory of 2036	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	103
PID 1136 wrote to memory of 2036	1136	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	103
PID 4680 wrote to memory of 4552	4680	cmd.exe	106
PID 4680 wrote to memory of 4552	4680	cmd.exe	106
PID 4680 wrote to memory of 4552	4680	cmd.exe	106
PID 4552 wrote to memory of 4284	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	107
PID 4552 wrote to memory of 4284	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	107
PID 4552 wrote to memory of 4284	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	107
PID 4284 wrote to memory of 540	4284	cmd.exe	110
PID 4284 wrote to memory of 540	4284	cmd.exe	110
PID 4284 wrote to memory of 540	4284	cmd.exe	110
PID 4552 wrote to memory of 3456	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	109
PID 4552 wrote to memory of 3456	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	109
PID 4552 wrote to memory of 3456	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	109
PID 4552 wrote to memory of 4368	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	111
PID 4552 wrote to memory of 4368	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	111
PID 4552 wrote to memory of 4368	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	111
PID 4552 wrote to memory of 1404	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	112
PID 4552 wrote to memory of 1404	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	112
PID 4552 wrote to memory of 1404	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	112
PID 4552 wrote to memory of 3732	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	113
PID 4552 wrote to memory of 3732	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	113
PID 4552 wrote to memory of 3732	4552	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	113
PID 540 wrote to memory of 4884	540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	117
PID 540 wrote to memory of 4884	540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	117
PID 540 wrote to memory of 4884	540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	117
PID 540 wrote to memory of 2688	540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	120
PID 540 wrote to memory of 2688	540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	120
PID 540 wrote to memory of 2688	540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	120
PID 540 wrote to memory of 1976	540	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe	123

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
"C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\boIcsYwI\wqwkQYwU.exe
  "C:\Users\Admin\boIcsYwI\wqwkQYwU.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4592
- C:\ProgramData\ZcYcMEEo\VkUMAUMw.exe
  "C:\ProgramData\ZcYcMEEo\VkUMAUMw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
    C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        8⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        10⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        12⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        14⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        16⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        18⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        20⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        22⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        24⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        26⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        28⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        30⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        32⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        33⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        34⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        35⤵
        Adds Run key to start application
        
        PID:4584
        
        C:\Users\Admin\USAkUkgA\FYYQgIYw.exe
        
        "C:\Users\Admin\USAkUkgA\FYYQgIYw.exe"
        36⤵
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 284
        37⤵
        Program crash
        
        PID:3912
        
        C:\ProgramData\DasMMQUI\KYcYYcww.exe
        
        "C:\ProgramData\DasMMQUI\KYcYYcww.exe"
        36⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 392
        37⤵
        Program crash
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        36⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        37⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        38⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        39⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        40⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        41⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        42⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        43⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        44⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        45⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        46⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        47⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        48⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        49⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        50⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        51⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        52⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        53⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        54⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        55⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        56⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        57⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        58⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        59⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        60⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        61⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        62⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        63⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        64⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        65⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        66⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        67⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        68⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        69⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        70⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        71⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        72⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        73⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        74⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        75⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        76⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        77⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        78⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        79⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        80⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        UAC bypass
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        81⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        82⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        83⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        84⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        85⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        86⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        87⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        88⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        89⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        90⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        91⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        92⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        93⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        94⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        95⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        96⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        97⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        98⤵
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        99⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        100⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        101⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        102⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        103⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        104⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        105⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        106⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        107⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        108⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        109⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        110⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        111⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        112⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        113⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        114⤵
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        115⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        116⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        117⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        118⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        119⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        120⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        121⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        122⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        123⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        124⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        125⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        126⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        127⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741"
        128⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe
        
        C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741
        129⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUsgYIoA.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        128⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WikQggAo.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        126⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laokoIwk.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        124⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGIgYIUw.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        122⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcEMwYUk.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Modifies registry key
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToQoEwIA.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        118⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCUYsQoc.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        116⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foEcUcMo.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        114⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwksoQAI.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        112⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCYsIEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        110⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAkkMocs.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        108⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIMMUcIU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        106⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsEgQssg.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        104⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwAAUgwg.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        102⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fogMQgQI.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        100⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWgcsQIU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        98⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsQQckUs.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        96⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quMQEccs.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        94⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOooQwMs.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        92⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiEYMAgA.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        90⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSQQMMYU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        88⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIwsIQYM.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        86⤵
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEcIAwEE.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        84⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyYEUMAk.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        82⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSIcQUIo.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        80⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POUAMEAk.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        78⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMAsMgUA.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        76⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQksAIAU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        74⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emcQAIos.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        72⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dScAkAss.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        70⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCIcMIcc.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        68⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUwAgAUA.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        66⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkAcgksY.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        64⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYQMsYoc.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        62⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKUEsgMc.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        60⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        UAC bypass
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEkEQsYs.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        58⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWssYkEU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        56⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGkcMsII.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        54⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAQEkkwk.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        52⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOEcQUsU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        50⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYUIoUIU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        48⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaIkIoYg.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        46⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMYUgMws.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        44⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGssscsA.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        42⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSQoUwAs.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        40⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PagUYwck.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        38⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RggkQAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        36⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAAEwwAI.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        34⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWQAEwUc.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        32⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zekgsUQM.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        30⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IysIgwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        28⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeUkgIso.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        26⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqYowEYM.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        24⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWQYIMoM.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        22⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuwEskAA.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        20⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGcQwMcU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        18⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcowsAcY.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        16⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYIsEsYo.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        14⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scIsQYww.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        12⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bywUEYAU.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        10⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYYckkgI.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        8⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4368
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWUcoccI.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
        6⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3076
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4568
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgIEcIAc.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
      4⤵
      PID:2036
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1888
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2728
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYkoccQE.bat" "C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741.exe""
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1940

C:\ProgramData\HyAcwIwA\RSscEgwg.exe
C:\ProgramData\HyAcwIwA\RSscEgwg.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 8 -ip 8
1⤵
PID:4140

C:\ProgramData\vIokUMcc\UykUUkkA.exe
C:\ProgramData\vIokUMcc\UykUUkkA.exe
1⤵
PID:3244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 264
  2⤵
  - Program crash
  PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4476 -ip 4476
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3244 -ip 3244
1⤵
PID:3336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HyAcwIwA\RSscEgwg.exe

Filesize
430KB

MD5
313ab4077b972faae7c110b82e3091c0

SHA1
fe16a1c9477607dd77ad5521969d66614f3c7ac0

SHA256
d741c13278fab3aa8b527f8fb0b1c32ea3bfab9d6b9a459bd0a9369ba725664e

SHA512
12ce9aeeb36aa614ec6b14d88779a4b8e118a89cbf691dc5c521ee024e2d371d68686764e6775ef890bb11b91e8c7d44e768ca7e6cbc25cd30c3de053d3042e4

Download Submit
C:\ProgramData\HyAcwIwA\RSscEgwg.exe

Filesize
430KB

MD5
313ab4077b972faae7c110b82e3091c0

SHA1
fe16a1c9477607dd77ad5521969d66614f3c7ac0

SHA256
d741c13278fab3aa8b527f8fb0b1c32ea3bfab9d6b9a459bd0a9369ba725664e

SHA512
12ce9aeeb36aa614ec6b14d88779a4b8e118a89cbf691dc5c521ee024e2d371d68686764e6775ef890bb11b91e8c7d44e768ca7e6cbc25cd30c3de053d3042e4

Download Submit
C:\ProgramData\ZcYcMEEo\VkUMAUMw.exe

Filesize
431KB

MD5
8d37767fd9d3e67ee37062eba41429f8

SHA1
fd70139e0e82346eb3532844018dadfe443b9338

SHA256
441f91b894d655995699928be38cf792eb981b7ea2f0365621daa1e45ed04d2e

SHA512
736ea61f61c1e91b7fb1bfab7079c94878e8b59612f4aa0a4ded4da42a6a59d854025cb006b2fb545676eca232ce512fb922853873bc48675df5d9067beddf52

Download Submit
C:\ProgramData\ZcYcMEEo\VkUMAUMw.exe

Filesize
431KB

MD5
8d37767fd9d3e67ee37062eba41429f8

SHA1
fd70139e0e82346eb3532844018dadfe443b9338

SHA256
441f91b894d655995699928be38cf792eb981b7ea2f0365621daa1e45ed04d2e

SHA512
736ea61f61c1e91b7fb1bfab7079c94878e8b59612f4aa0a4ded4da42a6a59d854025cb006b2fb545676eca232ce512fb922853873bc48675df5d9067beddf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3768016703a237772237ca984d973ee46bb9a88719bc3487a71e0c29acec5741

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeUkgIso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IysIgwAQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWQYIMoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OuwEskAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PagUYwck.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYYckkgI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgIEcIAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bywUEYAU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWQAEwUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqYowEYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGcQwMcU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMYUgMws.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWUcoccI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcowsAcY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSQoUwAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYIsEsYo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\scIsQYww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGssscsA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAAEwwAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zekgsUQM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\boIcsYwI\wqwkQYwU.exe

Filesize
433KB

MD5
6c083be52d641c41b8db0edcbcac68e8

SHA1
cae79eba195fc46c873367fec6b6ec98e6a15c29

SHA256
20c4932872e198f212fc37b28fe60d5075032c1fd5fe0ce73d232a85cd0a24ab

SHA512
ab490d43b132ba8ab455bb1b02d8133c2ada60f8c6cdd694d0b3a5186a79d499e3d57c7759d993afee903aa287d81b94ebe277c94625556216ffe588ed95b378

Download Submit
C:\Users\Admin\boIcsYwI\wqwkQYwU.exe

Filesize
433KB

MD5
6c083be52d641c41b8db0edcbcac68e8

SHA1
cae79eba195fc46c873367fec6b6ec98e6a15c29

SHA256
20c4932872e198f212fc37b28fe60d5075032c1fd5fe0ce73d232a85cd0a24ab

SHA512
ab490d43b132ba8ab455bb1b02d8133c2ada60f8c6cdd694d0b3a5186a79d499e3d57c7759d993afee903aa287d81b94ebe277c94625556216ffe588ed95b378

Download Submit
memory/8-281-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/100-252-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/100-253-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/220-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/220-277-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/540-169-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/540-174-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/644-302-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/884-296-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/884-303-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1136-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1216-321-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1284-310-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1320-315-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1328-307-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1328-309-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1404-294-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1404-291-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1480-314-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-262-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-313-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-311-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1616-308-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1824-236-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1856-319-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1856-318-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1900-322-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1940-306-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-289-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2600-305-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2600-304-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2704-275-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2780-316-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2912-212-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2912-202-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3244-282-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3380-266-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3488-190-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3500-320-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3544-257-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3768-201-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3856-144-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3856-280-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4008-244-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4008-241-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4200-300-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4200-301-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4296-323-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4332-248-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4368-225-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4368-224-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4380-312-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4380-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4380-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4408-299-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4472-285-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4476-283-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4552-168-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4592-140-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4592-276-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4748-317-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4808-268-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4808-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download