641130fcae1b019622ed1c9711c7cd6888cee2006e9393dd19d9bf17563c3a4a

Analysis

max time kernel
16s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4d99b4c2398c9exeexeexeex.exe
Size

189KB
MD5

e4d99b4c2398c93b1f2b10e2654f6a16
SHA1

4fae6d358c1c12e60734d7af63d4e00aad92b751
SHA256

641130fcae1b019622ed1c9711c7cd6888cee2006e9393dd19d9bf17563c3a4a
SHA512

0a938b6a5df7139907ea4d866cd47493f9e362ee2bb63780dce5dd3be463d78dd14a070cfe5a16f76762789803fe999726e964914d425d9cbd923efbc723c32b
SSDEEP

3072:SH06xfl/ijOsiekvgU3o3pjrgkNVZIJmWcoINr6Akl8oefTwKeEWPPrg0:IXvgU30pnV2JmWcoINr6Akl8oEwKeBLT

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 42 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
4256	yswcMwss.exe
3320	IAkMsQQE.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yswcMwss.exe = "C:\\Users\\Admin\\MMksoswg\\yswcMwss.exe"	e4d99b4c2398c9exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IAkMsQQE.exe = "C:\\ProgramData\\QAUgkMsg\\IAkMsQQE.exe"	e4d99b4c2398c9exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yswcMwss.exe = "C:\\Users\\Admin\\MMksoswg\\yswcMwss.exe"	yswcMwss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IAkMsQQE.exe = "C:\\ProgramData\\QAUgkMsg\\IAkMsQQE.exe"	IAkMsQQE.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e4d99b4c2398c9exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3280	taskkill.exe
4832	taskkill.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2432	reg.exe
4860	reg.exe
3280	reg.exe
4492	reg.exe
5032	reg.exe
2124	reg.exe
464	reg.exe
4408	reg.exe
3292	reg.exe
5032	reg.exe
1588	reg.exe
2916	reg.exe
3260	reg.exe
3580	reg.exe
4328	reg.exe
2688	reg.exe
3108	reg.exe
2056	reg.exe
4764	reg.exe
3496	reg.exe
452	reg.exe
2256	reg.exe
2624	reg.exe
2728	reg.exe
4516	reg.exe
4260	reg.exe
2680	reg.exe
3340	reg.exe
5004	reg.exe
1680	reg.exe
4876	reg.exe
392	reg.exe
3756	reg.exe
1880	reg.exe
4804	reg.exe
4708	reg.exe
4336	reg.exe
4520	reg.exe
4796	reg.exe
1884	reg.exe
3108	reg.exe
1932	reg.exe
2072	reg.exe
3380	reg.exe
2660	reg.exe
3508	reg.exe
4988	reg.exe
4332	reg.exe
3864	reg.exe
2652	reg.exe
4304	reg.exe
2388	reg.exe
2652	reg.exe
1588	reg.exe
5024	reg.exe
4240	reg.exe
668	reg.exe
4152	reg.exe
4544	reg.exe
2056	reg.exe
1044	reg.exe
4456	reg.exe
4952	reg.exe
4472	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4680	e4d99b4c2398c9exeexeexeex.exe
4680	e4d99b4c2398c9exeexeexeex.exe
4680	e4d99b4c2398c9exeexeexeex.exe
4680	e4d99b4c2398c9exeexeexeex.exe
4584	e4d99b4c2398c9exeexeexeex.exe
4584	e4d99b4c2398c9exeexeexeex.exe
4584	e4d99b4c2398c9exeexeexeex.exe
4584	e4d99b4c2398c9exeexeexeex.exe
5076	e4d99b4c2398c9exeexeexeex.exe
5076	e4d99b4c2398c9exeexeexeex.exe
5076	e4d99b4c2398c9exeexeexeex.exe
5076	e4d99b4c2398c9exeexeexeex.exe
5036	e4d99b4c2398c9exeexeexeex.exe
5036	e4d99b4c2398c9exeexeexeex.exe
5036	e4d99b4c2398c9exeexeexeex.exe
5036	e4d99b4c2398c9exeexeexeex.exe
4200	e4d99b4c2398c9exeexeexeex.exe
4200	e4d99b4c2398c9exeexeexeex.exe
4200	e4d99b4c2398c9exeexeexeex.exe
4200	e4d99b4c2398c9exeexeexeex.exe
4008	e4d99b4c2398c9exeexeexeex.exe
4008	e4d99b4c2398c9exeexeexeex.exe
4008	e4d99b4c2398c9exeexeexeex.exe
4008	e4d99b4c2398c9exeexeexeex.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1312	e4d99b4c2398c9exeexeexeex.exe
1312	e4d99b4c2398c9exeexeexeex.exe
1312	e4d99b4c2398c9exeexeexeex.exe
1312	e4d99b4c2398c9exeexeexeex.exe
1712	Conhost.exe
1712	Conhost.exe
1712	Conhost.exe
1712	Conhost.exe
4068	e4d99b4c2398c9exeexeexeex.exe
4068	e4d99b4c2398c9exeexeexeex.exe
4068	e4d99b4c2398c9exeexeexeex.exe
4068	e4d99b4c2398c9exeexeexeex.exe
4796	e4d99b4c2398c9exeexeexeex.exe
4796	e4d99b4c2398c9exeexeexeex.exe
4796	e4d99b4c2398c9exeexeexeex.exe
4796	e4d99b4c2398c9exeexeexeex.exe
2104	e4d99b4c2398c9exeexeexeex.exe
2104	e4d99b4c2398c9exeexeexeex.exe
2104	e4d99b4c2398c9exeexeexeex.exe
2104	e4d99b4c2398c9exeexeexeex.exe
1904	e4d99b4c2398c9exeexeexeex.exe
1904	e4d99b4c2398c9exeexeexeex.exe
1904	e4d99b4c2398c9exeexeexeex.exe
1904	e4d99b4c2398c9exeexeexeex.exe
4444	Conhost.exe
4444	Conhost.exe
4444	Conhost.exe
4444	Conhost.exe
3876	cmd.exe
3876	cmd.exe
3876	cmd.exe
3876	cmd.exe
2848	e4d99b4c2398c9exeexeexeex.exe
2848	e4d99b4c2398c9exeexeexeex.exe
2848	e4d99b4c2398c9exeexeexeex.exe
2848	e4d99b4c2398c9exeexeexeex.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4256	4680	e4d99b4c2398c9exeexeexeex.exe	86
PID 4680 wrote to memory of 4256	4680	e4d99b4c2398c9exeexeexeex.exe	86
PID 4680 wrote to memory of 4256	4680	e4d99b4c2398c9exeexeexeex.exe	86
PID 4680 wrote to memory of 3320	4680	e4d99b4c2398c9exeexeexeex.exe	89
PID 4680 wrote to memory of 3320	4680	e4d99b4c2398c9exeexeexeex.exe	89
PID 4680 wrote to memory of 3320	4680	e4d99b4c2398c9exeexeexeex.exe	89
PID 4680 wrote to memory of 4876	4680	e4d99b4c2398c9exeexeexeex.exe	87
PID 4680 wrote to memory of 4876	4680	e4d99b4c2398c9exeexeexeex.exe	87
PID 4680 wrote to memory of 4876	4680	e4d99b4c2398c9exeexeexeex.exe	87
PID 4680 wrote to memory of 4132	4680	e4d99b4c2398c9exeexeexeex.exe	90
PID 4680 wrote to memory of 4132	4680	e4d99b4c2398c9exeexeexeex.exe	90
PID 4680 wrote to memory of 4132	4680	e4d99b4c2398c9exeexeexeex.exe	90
PID 4680 wrote to memory of 4064	4680	e4d99b4c2398c9exeexeexeex.exe	93
PID 4680 wrote to memory of 4064	4680	e4d99b4c2398c9exeexeexeex.exe	93
PID 4680 wrote to memory of 4064	4680	e4d99b4c2398c9exeexeexeex.exe	93
PID 4680 wrote to memory of 3724	4680	e4d99b4c2398c9exeexeexeex.exe	92
PID 4680 wrote to memory of 3724	4680	e4d99b4c2398c9exeexeexeex.exe	92
PID 4680 wrote to memory of 3724	4680	e4d99b4c2398c9exeexeexeex.exe	92
PID 4680 wrote to memory of 4440	4680	e4d99b4c2398c9exeexeexeex.exe	91
PID 4680 wrote to memory of 4440	4680	e4d99b4c2398c9exeexeexeex.exe	91
PID 4680 wrote to memory of 4440	4680	e4d99b4c2398c9exeexeexeex.exe	91
PID 4440 wrote to memory of 1752	4440	cmd.exe	99
PID 4440 wrote to memory of 1752	4440	cmd.exe	99
PID 4440 wrote to memory of 1752	4440	cmd.exe	99
PID 4876 wrote to memory of 4584	4876	cmd.exe	98
PID 4876 wrote to memory of 4584	4876	cmd.exe	98
PID 4876 wrote to memory of 4584	4876	cmd.exe	98
PID 4584 wrote to memory of 3400	4584	e4d99b4c2398c9exeexeexeex.exe	100
PID 4584 wrote to memory of 3400	4584	e4d99b4c2398c9exeexeexeex.exe	100
PID 4584 wrote to memory of 3400	4584	e4d99b4c2398c9exeexeexeex.exe	100
PID 3400 wrote to memory of 5076	3400	cmd.exe	102
PID 3400 wrote to memory of 5076	3400	cmd.exe	102
PID 3400 wrote to memory of 5076	3400	cmd.exe	102
PID 4584 wrote to memory of 1532	4584	e4d99b4c2398c9exeexeexeex.exe	103
PID 4584 wrote to memory of 1532	4584	e4d99b4c2398c9exeexeexeex.exe	103
PID 4584 wrote to memory of 1532	4584	e4d99b4c2398c9exeexeexeex.exe	103
PID 4584 wrote to memory of 2992	4584	e4d99b4c2398c9exeexeexeex.exe	110
PID 4584 wrote to memory of 2992	4584	e4d99b4c2398c9exeexeexeex.exe	110
PID 4584 wrote to memory of 2992	4584	e4d99b4c2398c9exeexeexeex.exe	110
PID 4584 wrote to memory of 1676	4584	e4d99b4c2398c9exeexeexeex.exe	151
PID 4584 wrote to memory of 1676	4584	e4d99b4c2398c9exeexeexeex.exe	151
PID 4584 wrote to memory of 1676	4584	e4d99b4c2398c9exeexeexeex.exe	151
PID 4584 wrote to memory of 544	4584	e4d99b4c2398c9exeexeexeex.exe	109
PID 4584 wrote to memory of 544	4584	e4d99b4c2398c9exeexeexeex.exe	109
PID 4584 wrote to memory of 544	4584	e4d99b4c2398c9exeexeexeex.exe	109
PID 544 wrote to memory of 3480	544	cmd.exe	111
PID 544 wrote to memory of 3480	544	cmd.exe	111
PID 544 wrote to memory of 3480	544	cmd.exe	111
PID 5076 wrote to memory of 4152	5076	e4d99b4c2398c9exeexeexeex.exe	112
PID 5076 wrote to memory of 4152	5076	e4d99b4c2398c9exeexeexeex.exe	112
PID 5076 wrote to memory of 4152	5076	e4d99b4c2398c9exeexeexeex.exe	112
PID 5076 wrote to memory of 1008	5076	e4d99b4c2398c9exeexeexeex.exe	114
PID 5076 wrote to memory of 1008	5076	e4d99b4c2398c9exeexeexeex.exe	114
PID 5076 wrote to memory of 1008	5076	e4d99b4c2398c9exeexeexeex.exe	114
PID 5076 wrote to memory of 2652	5076	e4d99b4c2398c9exeexeexeex.exe	115
PID 5076 wrote to memory of 2652	5076	e4d99b4c2398c9exeexeexeex.exe	115
PID 5076 wrote to memory of 2652	5076	e4d99b4c2398c9exeexeexeex.exe	115
PID 5076 wrote to memory of 3108	5076	e4d99b4c2398c9exeexeexeex.exe	116
PID 5076 wrote to memory of 3108	5076	e4d99b4c2398c9exeexeexeex.exe	116
PID 5076 wrote to memory of 3108	5076	e4d99b4c2398c9exeexeexeex.exe	116
PID 5076 wrote to memory of 3396	5076	e4d99b4c2398c9exeexeexeex.exe	117
PID 5076 wrote to memory of 3396	5076	e4d99b4c2398c9exeexeexeex.exe	117
PID 5076 wrote to memory of 3396	5076	e4d99b4c2398c9exeexeexeex.exe	117
PID 4152 wrote to memory of 5036	4152	cmd.exe	122

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4d99b4c2398c9exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e4d99b4c2398c9exeexeexeex.exe

C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\MMksoswg\yswcMwss.exe
  "C:\Users\Admin\MMksoswg\yswcMwss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "USERNAME eq Admin" /F /IM IAkMsQQE.exe
    3⤵
    - Kills process with taskkill
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
    C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        8⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        10⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        12⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        13⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        14⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        16⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        17⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        18⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        20⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        22⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        26⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        27⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        28⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        29⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        30⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        32⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        33⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        34⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        35⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        36⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        37⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        38⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        39⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        40⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        41⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        42⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        43⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        44⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        45⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        46⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        47⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        48⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        49⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        50⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        51⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        52⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        53⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        54⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        55⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        56⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        57⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        58⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        59⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        60⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        61⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        62⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        63⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        64⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        65⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        66⤵
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        67⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        68⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        69⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        70⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        71⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        72⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        73⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        74⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        75⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        76⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        UAC bypass
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        77⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        78⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        79⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        80⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        81⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        82⤵
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        83⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        84⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        85⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        86⤵
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        87⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        88⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        89⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        90⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        91⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        92⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        93⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        94⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        96⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        97⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        98⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        99⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        100⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        101⤵
        
        PID:4464
        
        C:\Users\Admin\MMksoswg\yswcMwss.exe
        
        "C:\Users\Admin\MMksoswg\yswcMwss.exe"
        102⤵
        
        PID:1436
        
        C:\ProgramData\QAUgkMsg\IAkMsQQE.exe
        
        "C:\ProgramData\QAUgkMsg\IAkMsQQE.exe"
        102⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        102⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        103⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        104⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        105⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        106⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        107⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        108⤵
        
        PID:1016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        UAC bypass
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        109⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        110⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        111⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        112⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        113⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        114⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        115⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        116⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        117⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        118⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        119⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        120⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        121⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        122⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        123⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        124⤵
        
        PID:2616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        125⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        126⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        127⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        128⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        129⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        130⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        131⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        132⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        133⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        135⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        136⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        137⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        138⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        139⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        140⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        141⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        142⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        143⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        144⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        145⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        146⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        147⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        148⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        149⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        150⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        151⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        152⤵
        
        PID:748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        153⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        154⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        155⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        156⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        157⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        158⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        159⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        160⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        161⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        162⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        163⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        164⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        165⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        166⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        167⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        168⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        169⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        170⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        171⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        172⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        173⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        174⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        175⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        176⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        177⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        178⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        179⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        180⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        181⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        182⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        183⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex"
        184⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex
        185⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmsQoYwo.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        184⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcIUskMI.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        182⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOIIskgw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        180⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSAMAQwE.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        178⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKAwQIQM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        176⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMUUsIQA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        174⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOAQMQME.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        172⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksAkQcgs.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        170⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awQEgIYA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        168⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAAEEQQg.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        166⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mawYAEUA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        164⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQEcYAIk.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        162⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        UAC bypass
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGsYUsIM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        160⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIYQkQwI.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        158⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toAIEQgc.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        156⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMoIokwA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        154⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyIEMwYU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        152⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiMggAAw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        150⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyYEQcwU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        148⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIYMkEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        146⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAowgwsE.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        144⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGUcwYAY.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        142⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYEUsEsM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        140⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwkIkggs.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        138⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xksMoUIk.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        136⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKYwQUgg.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        134⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nekMgQko.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        132⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcowYcAc.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        130⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMoEooEY.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        128⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        UAC bypass
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcIAQMYI.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        126⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkwEkAQc.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        124⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGIEIcoc.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        122⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYYoUgcw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        120⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKcUskUk.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        118⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jisQMssg.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        116⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToIYUsgE.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        114⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        UAC bypass
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGUIsIMw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        112⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAAMEMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        110⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWEgwsEM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        108⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAEUkYgw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        106⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        UAC bypass
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkIMookU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        104⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsAcwQIA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        102⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAwkEoss.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        100⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMkMYoAo.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        98⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwUoMkYU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        96⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIMcUUAY.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        94⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkscAcIs.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        92⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEwgEkAo.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        90⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWQgMEIM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        88⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYEEoQUw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        86⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcUAsYQM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        84⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOoEQwUs.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        82⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGkIUEcA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        80⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyggwMMc.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        78⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUIsMUck.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        76⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUsEwUsg.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        74⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUIYwIME.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        72⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOEkcIUU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        70⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMcYAUQA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        68⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMIwUAMI.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        66⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUwcUMQo.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        64⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWAocAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        62⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEgwYUsU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        60⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        UAC bypass
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        UAC bypass
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUYYkcUc.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        58⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgAgkwQE.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        56⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksEkIAAo.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        54⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAcYUgQk.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        52⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PisIgIIM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        50⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUYAAIos.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        48⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgAQUMAw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        46⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWMgUoko.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCQAUkwk.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        42⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIwgQkYI.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkQwUIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        38⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAIwQgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        36⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUwMgwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        34⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQUAIUIg.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        32⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSQIEcoU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        30⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqAgMEgM.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        28⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEgIsQQs.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        26⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiIsQIUc.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        24⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMUEYkcY.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        22⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaswAkAs.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        20⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcogEwcY.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        18⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgYIgIMU.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        16⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiskcsoA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        14⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgoAcEoo.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        12⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uggkQgks.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        10⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkcgIgIA.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1476
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2652
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQEccoQw.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
        6⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgIEUokE.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3480
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2992
- C:\ProgramData\QAUgkMsg\IAkMsQQE.exe
  "C:\ProgramData\QAUgkMsg\IAkMsQQE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "USERNAME eq Admin" /F /IM yswcMwss.exe
    3⤵
    - Kills process with taskkill
    PID:3280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PywQcooI.bat" "C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1752
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QAUgkMsg\IAkMsQQE.exe

Filesize
191KB

MD5
9dd4a9306ce649036ab7e36c0777e434

SHA1
5b5ac0919430954ba5afe019a210dec426bd4617

SHA256
157b23ef8904041713bf11a109863a862031f06ecdcb195569121fbaaec6ebe0

SHA512
4a022d277b5bfbbde900d7a9bdb8ddd153951b14309389b424cc6284f8dc7c81447cbea50b0ea948dfd4b14cc94cd079d798026b1706010bb28c79c802cf249c

Download Submit
C:\ProgramData\QAUgkMsg\IAkMsQQE.exe

Filesize
191KB

MD5
9dd4a9306ce649036ab7e36c0777e434

SHA1
5b5ac0919430954ba5afe019a210dec426bd4617

SHA256
157b23ef8904041713bf11a109863a862031f06ecdcb195569121fbaaec6ebe0

SHA512
4a022d277b5bfbbde900d7a9bdb8ddd153951b14309389b424cc6284f8dc7c81447cbea50b0ea948dfd4b14cc94cd079d798026b1706010bb28c79c802cf249c

Download Submit
C:\ProgramData\QAUgkMsg\IAkMsQQE.inf

Filesize
4B

MD5
58f9194865dcf2c1a82432bf3a697f42

SHA1
d325bb583d847bd2b7a6c73fa3b9ac7543f2e822

SHA256
8caf4d6a3c1acc82a9c9756d7e13406d3d7df5936cdbdbe20eadfb650c532416

SHA512
7c3626761a595ae53fe04f4a3ccae87a761a6ca78cecb30f78b03be4457544caf89526c3a65bf35397d136d9c625c848d63002235e8c6a00978c898573731e40

Download Submit
C:\ProgramData\QAUgkMsg\IAkMsQQE.inf

Filesize
4B

MD5
4f5650fa3b6801393bd73cf84f92c354

SHA1
a06796327fd42a4567bd8f332fb442406c51ee22

SHA256
ae897edab1635c760f4babf1c0705b359da7e3e8b9bec98c6565258a8ba7f333

SHA512
675ce61dab5f3298de8d5f073dfd1f5843b34102c5346a37274e9e190d590c01a0cf13b49a6ae4d42ab6948747a091a1cb56e6e772303c3d2a53446d241ac64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgIEUokE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaswAkAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiskcsoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQEccoQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQEccoQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcgIgIA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAIwQgIQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OiIsQIUc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgYIgIMU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PywQcooI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgoAcEoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSQIEcoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUwMgwgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4d99b4c2398c9exeexeexeex

Filesize
2KB

MD5
711f4e22670fc5798e4f84250c0d0eaa

SHA1
1a1582650e218b0be6ffdeffd64d27f4b9a9870f

SHA256
5fc25c30aee76477f1c4e922931cc806823df059525583ff5705705d9e913c1c

SHA512
220c36010208a87d0f674da06d6f5b4d6101d196544abcb4ee32378c46c781589db1ce7c7dfe6471a8d8e388ee6a279db237b18af1eb9130ff9d0222578f1589

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgIsQQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQUAIUIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqAgMEgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcogEwcY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uggkQgks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkQwUIsQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMUEYkcY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\MMksoswg\yswcMwss.exe

Filesize
196KB

MD5
9fe2934f3d263564de3abc08285958f6

SHA1
82f89aa32c4b33c356180c5126308fbdb66a6b3d

SHA256
3d2d02a3314eb09973fa91cf3c361870d6717e702d32d273559db2abb7edd869

SHA512
6fe36580d71523cdaa63bc830654fd353d54283e2c6d020663259483f98ee7284907932f69ad84388594a6c5551ae65b510927630fa8bfe2e938d7dbe51175af

Download Submit
C:\Users\Admin\MMksoswg\yswcMwss.exe

Filesize
196KB

MD5
9fe2934f3d263564de3abc08285958f6

SHA1
82f89aa32c4b33c356180c5126308fbdb66a6b3d

SHA256
3d2d02a3314eb09973fa91cf3c361870d6717e702d32d273559db2abb7edd869

SHA512
6fe36580d71523cdaa63bc830654fd353d54283e2c6d020663259483f98ee7284907932f69ad84388594a6c5551ae65b510927630fa8bfe2e938d7dbe51175af

Download Submit
C:\Users\Admin\MMksoswg\yswcMwss.inf

Filesize
4B

MD5
58f9194865dcf2c1a82432bf3a697f42

SHA1
d325bb583d847bd2b7a6c73fa3b9ac7543f2e822

SHA256
8caf4d6a3c1acc82a9c9756d7e13406d3d7df5936cdbdbe20eadfb650c532416

SHA512
7c3626761a595ae53fe04f4a3ccae87a761a6ca78cecb30f78b03be4457544caf89526c3a65bf35397d136d9c625c848d63002235e8c6a00978c898573731e40

Download Submit
C:\Users\Admin\MMksoswg\yswcMwss.inf

Filesize
4B

MD5
4f5650fa3b6801393bd73cf84f92c354

SHA1
a06796327fd42a4567bd8f332fb442406c51ee22

SHA256
ae897edab1635c760f4babf1c0705b359da7e3e8b9bec98c6565258a8ba7f333

SHA512
675ce61dab5f3298de8d5f073dfd1f5843b34102c5346a37274e9e190d590c01a0cf13b49a6ae4d42ab6948747a091a1cb56e6e772303c3d2a53446d241ac64a

Download Submit
memory/116-396-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/552-566-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-460-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-467-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-504-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1172-450-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1312-239-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1312-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1444-349-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1444-362-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1712-250-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1712-235-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1864-386-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1864-379-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1864-423-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1904-299-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-458-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2104-286-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2124-531-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2336-539-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2364-602-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2364-610-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2492-558-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2616-406-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2616-413-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2728-433-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2728-440-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2828-375-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2848-337-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3136-487-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3136-494-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3320-165-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3396-485-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3404-585-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3540-523-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3584-575-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3584-568-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3744-601-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-324-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4008-213-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4068-263-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-513-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-509-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4200-198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4200-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4256-164-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-593-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-303-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4584-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4588-431-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4680-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4680-150-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4740-477-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4796-275-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4796-267-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4860-348-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5032-540-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5032-548-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5036-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5076-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5076-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5084-404-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download