279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb

Analysis

max time kernel
129s
max time network
127s
platform
windows10_x64
resource
win10v20210408
submitted
11-05-2021 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Size

532KB
MD5

2146eb12d4f3329cb86bb6d297f6c157
SHA1

8ad0a576e0f8b3cc3f10d5cf75d9bb6890ded77d
SHA256

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
SHA512

d700600c6b41f4231b93b424624292a0cd8106204b00a3c550dab67bee526686a003511508390b3ece947506ea084e9a2cf77e0c84c00edf400f8e67099f39f9

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\VEQEYwoA\\TUEEgsAQ.exe,"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\VEQEYwoA\\TUEEgsAQ.exe,"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

xgcosEws.exeTUEEgsAQ.exepcsUUkIQ.exe

pid process

2256 xgcosEws.exe
3444 TUEEgsAQ.exe
3556 pcsUUkIQ.exe

pid	process
2256	xgcosEws.exe
3444	TUEEgsAQ.exe
3556	pcsUUkIQ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TUEEgsAQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	TUEEgsAQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xgcosEws.exeTUEEgsAQ.exepcsUUkIQ.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgcosEws.exe = "C:\\Users\\Admin\\kqIIEcwU\\xgcosEws.exe"	xgcosEws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TUEEgsAQ.exe = "C:\\ProgramData\\VEQEYwoA\\TUEEgsAQ.exe"	TUEEgsAQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TUEEgsAQ.exe = "C:\\ProgramData\\VEQEYwoA\\TUEEgsAQ.exe"	pcsUUkIQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgcosEws.exe = "C:\\Users\\Admin\\kqIIEcwU\\xgcosEws.exe"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TUEEgsAQ.exe = "C:\\ProgramData\\VEQEYwoA\\TUEEgsAQ.exe"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmd.execscript.execscript.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

pcsUUkIQ.exeTUEEgsAQ.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\kqIIEcwU	pcsUUkIQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\kqIIEcwU\xgcosEws	pcsUUkIQ.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	TUEEgsAQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2888	reg.exe
2552	reg.exe
2888	reg.exe
2664	reg.exe
3800	reg.exe
2552	reg.exe
3824	reg.exe
3944	reg.exe
2808	reg.exe
2308	reg.exe
2188	reg.exe
2988	reg.exe
3008	reg.exe
3784	reg.exe
2960	reg.exe
3800	reg.exe
1020	reg.exe
2152	reg.exe
3952	reg.exe
3480	reg.exe
1632	reg.exe
1872	reg.exe
2552	reg.exe
2248	reg.exe
2300	reg.exe
768	reg.exe
2172	reg.exe
1164	reg.exe
1336	reg.exe
768	reg.exe
3012	reg.exe
3588	reg.exe
2300	reg.exe
1976	reg.exe
2264	reg.exe
3620	reg.exe
3972	reg.exe
2860	reg.exe
2196	reg.exe
976	reg.exe
1704	reg.exe
1324	reg.exe
1336	reg.exe
2248	reg.exe
3744	reg.exe
2064	reg.exe
1324	reg.exe
3716	reg.exe
2248	reg.exe
3688	reg.exe
3008	reg.exe
1160	reg.exe
2276	reg.exe
3768	reg.exe
2248	reg.exe
492	reg.exe
2196	reg.exe
3744	reg.exe
3252	reg.exe
2264	reg.exe
916	reg.exe
1288	reg.exe
740	reg.exe
3684	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exeConhost.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execscript.exereg.exeConhost.exeConhost.exeConhost.exe

pid	process
636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1344	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1344	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1344	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1344	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2248	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2248	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2248	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2248	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3892	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3892	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3892	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3892	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1632	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1632	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1632	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
1632	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3704	Conhost.exe
3704	Conhost.exe
3704	Conhost.exe
3704	Conhost.exe
2100	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2100	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2100	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2100	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2104	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2104	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2104	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2104	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3940	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3940	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3940	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
3940	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
2208	cscript.exe
2208	cscript.exe
2208	cscript.exe
2208	cscript.exe
1164	reg.exe
1164	reg.exe
1164	reg.exe
1164	reg.exe
3988	Conhost.exe
3988	Conhost.exe
3988	Conhost.exe
3988	Conhost.exe
2064	Conhost.exe
2064	Conhost.exe
2064	Conhost.exe
2064	Conhost.exe
2752	Conhost.exe
2752	Conhost.exe
2752	Conhost.exe
2752	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

description	pid	process	target process
PID 636 wrote to memory of 2256	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	xgcosEws.exe
PID 636 wrote to memory of 2256	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	xgcosEws.exe
PID 636 wrote to memory of 2256	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	xgcosEws.exe
PID 636 wrote to memory of 3444	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	TUEEgsAQ.exe
PID 636 wrote to memory of 3444	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	TUEEgsAQ.exe
PID 636 wrote to memory of 3444	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	TUEEgsAQ.exe
PID 636 wrote to memory of 2860	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 636 wrote to memory of 2860	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 636 wrote to memory of 2860	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 636 wrote to memory of 3012	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 3012	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 3012	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 2888	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 2888	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 2888	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 1976	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 1976	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 636 wrote to memory of 1976	636	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2860 wrote to memory of 1704	2860	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 2860 wrote to memory of 1704	2860	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 2860 wrote to memory of 1704	2860	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1704 wrote to memory of 3704	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1704 wrote to memory of 3704	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1704 wrote to memory of 3704	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1704 wrote to memory of 3784	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 3784	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 3784	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 3800	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 3800	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 3800	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 2276	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 2276	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 2276	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 1704 wrote to memory of 2840	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1704 wrote to memory of 2840	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1704 wrote to memory of 2840	1704	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 3704 wrote to memory of 2224	3704	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 3704 wrote to memory of 2224	3704	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 3704 wrote to memory of 2224	3704	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 2840 wrote to memory of 3716	2840	cmd.exe	cscript.exe
PID 2840 wrote to memory of 3716	2840	cmd.exe	cscript.exe
PID 2840 wrote to memory of 3716	2840	cmd.exe	cscript.exe
PID 2224 wrote to memory of 1500	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 2224 wrote to memory of 1500	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 2224 wrote to memory of 1500	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1500 wrote to memory of 1344	1500	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1500 wrote to memory of 1344	1500	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 1500 wrote to memory of 1344	1500	cmd.exe	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
PID 2224 wrote to memory of 2888	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2888	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2888	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2736	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2736	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2736	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2300	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2300	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 2300	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	reg.exe
PID 2224 wrote to memory of 3316	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 2224 wrote to memory of 3316	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 2224 wrote to memory of 3316	2224	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1344 wrote to memory of 1632	1344	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1344 wrote to memory of 1632	1344	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1344 wrote to memory of 1632	1344	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe	cmd.exe
PID 1344 wrote to memory of 3944	1344		reg.exe

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

cmd.execmd.execscript.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.execmd.execscript.execscript.exe279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
"C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\kqIIEcwU\xgcosEws.exe
"C:\Users\Admin\kqIIEcwU\xgcosEws.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2256

C:\ProgramData\VEQEYwoA\TUEEgsAQ.exe
"C:\ProgramData\VEQEYwoA\TUEEgsAQ.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
4⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
6⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
8⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
10⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
12⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
14⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
15⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
16⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
18⤵
PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
20⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
22⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
23⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
24⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
25⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
26⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
27⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
28⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
29⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
30⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
31⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
32⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
33⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
34⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
35⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
36⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
37⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
38⤵
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
39⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
40⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
41⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
42⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
43⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
44⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
45⤵
- Checks whether UAC is enabled
- System policy modification
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
46⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
47⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
48⤵
PID:3992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
49⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
50⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
51⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
52⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
53⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
54⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
55⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
56⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
57⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
58⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
59⤵
- Checks whether UAC is enabled
- System policy modification
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
60⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
61⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
62⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
63⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
64⤵
- Checks whether UAC is enabled
- System policy modification
PID:3620

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
65⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
66⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
67⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
68⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
69⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
70⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
71⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
72⤵
PID:1144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
73⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
74⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
75⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
76⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
77⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
78⤵
PID:3480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
79⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
80⤵
PID:3052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
81⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
82⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
83⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
84⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
85⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
86⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
87⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
88⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
89⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
90⤵
PID:3316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
91⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb"
92⤵
PID:628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
93⤵
- Checks whether UAC is enabled
- System policy modification
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies registry key
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QewsccwU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
92⤵
PID:2364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEkEgksQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
90⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
- Checks whether UAC is enabled
- System policy modification
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:3104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEYIMEoc.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
88⤵
PID:3804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:2188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMMgwAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
86⤵
PID:3188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
- Checks whether UAC is enabled
- System policy modification
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOswMQww.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
84⤵
- Checks whether UAC is enabled
- System policy modification
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- Modifies registry key
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAsssQIA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
82⤵
PID:2224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:3784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiEEMIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
80⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:3956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUsUwgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
78⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:2064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkUsAYME.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
76⤵
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
78⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- Modifies registry key
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeYkIwEs.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
74⤵
PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:2152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGwsQwAU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
72⤵
PID:1020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWkUwssw.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
70⤵
PID:3104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmkMgEkg.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
68⤵
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:2276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAwYowcM.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
66⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies registry key
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSAswwYE.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
64⤵
PID:628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:3256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMMYAkgA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
62⤵
PID:3916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKYowooQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
60⤵
PID:980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- Modifies registry key
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUgcAQw.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
58⤵
PID:1008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAkoAMgk.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
56⤵
PID:3904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAAwIEIg.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
54⤵
PID:2300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xukMUAkw.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
52⤵
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEswcgU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
50⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
50⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaIcskYs.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
48⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- Modifies registry key
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies registry key
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIcocIIw.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
46⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies registry key
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YycUIQsA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
44⤵
PID:860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
44⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JasAUwos.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
42⤵
- Checks whether UAC is enabled
- System policy modification
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:1344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkMwQAYU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
40⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwoMQgEo.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
38⤵
PID:1804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuwAowYc.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
36⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmEIkYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
34⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:3952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nacMEYkg.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
32⤵
PID:2152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGQYkQsg.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
30⤵
PID:3844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:3800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMYUswAo.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
28⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:3008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCIwkQEA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
26⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:1324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zukgQcAw.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
24⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
26⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckgkooUg.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
22⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMgEoQsk.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
20⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycwQgsgA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
18⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:3784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
18⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngUwYEgU.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
16⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giAAcoYY.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
14⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
- Checks whether UAC is enabled
- System policy modification
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEcMwUgM.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
12⤵
PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmckwsAA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
10⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MykIcQkA.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
8⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYwQMIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
6⤵
PID:3316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaksscUE.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqkksIUk.bat" "C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb.exe""
2⤵
PID:740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3348

C:\ProgramData\uMoEEcQA\pcsUUkIQ.exe
C:\ProgramData\uMoEEcQA\pcsUUkIQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VEQEYwoA\TUEEgsAQ.exe
MD5
d5b94aba50eca9b51672c3940eba9404

SHA1
ec8b22b884d794936de0b3a8a5de3b9ab4dd6ecd

SHA256
fef422e75ea612a1081d7ab1b559807fac016bb7d7e034ad1ed4688e9590f935

SHA512
1c26a89f25fb6f9867076d254d69bb3a25a535f52e344285d44be5ff1db0349af092a9ecfee887ddcfe7fe23cd2a3607b705e7d866187a9ce31d4cf61e3811ec

Download Submit
C:\ProgramData\VEQEYwoA\TUEEgsAQ.exe
MD5
d5b94aba50eca9b51672c3940eba9404

SHA1
ec8b22b884d794936de0b3a8a5de3b9ab4dd6ecd

SHA256
fef422e75ea612a1081d7ab1b559807fac016bb7d7e034ad1ed4688e9590f935

SHA512
1c26a89f25fb6f9867076d254d69bb3a25a535f52e344285d44be5ff1db0349af092a9ecfee887ddcfe7fe23cd2a3607b705e7d866187a9ce31d4cf61e3811ec

Download Submit
C:\ProgramData\uMoEEcQA\pcsUUkIQ.exe
MD5
cb897de0da113ca0458f03a726918149

SHA1
18cf2c4802d43f7a4dd777de469f46884df46777

SHA256
49deed7c0015c7d8fde06c3c98617936e0e68c8282c26891192767805abc00f3

SHA512
2a3d84d550eb809d819fe355f598511a74027301f7292e0d27da39560f42f98efce94acba00d0595df47555987da597a42a5ba5814398d61df6e6e644184142c

Download Submit
C:\ProgramData\uMoEEcQA\pcsUUkIQ.exe
MD5
cb897de0da113ca0458f03a726918149

SHA1
18cf2c4802d43f7a4dd777de469f46884df46777

SHA256
49deed7c0015c7d8fde06c3c98617936e0e68c8282c26891192767805abc00f3

SHA512
2a3d84d550eb809d819fe355f598511a74027301f7292e0d27da39560f42f98efce94acba00d0595df47555987da597a42a5ba5814398d61df6e6e644184142c

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\279e64be324c8c9f3863e3bb4aecee03e64a34c071c3fb70b007a2833079fffb
MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEcMwUgM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaksscUE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwAowYc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JasAUwos.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MykIcQkA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYwQMIgQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkMwQAYU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMgEoQsk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwoMQgEo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckgkooUg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\giAAcoYY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nacMEYkg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngUwYEgU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmckwsAA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMYUswAo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sCIwkQEA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGQYkQsg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmEIkYYQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwQgsgA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zukgQcAw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\kqIIEcwU\xgcosEws.exe
MD5
d6553ab8cf7c246718a7ba35d770753f

SHA1
8c7b8eff4d36ca8cf634415398edbd1b61211ec2

SHA256
2703821449473f91087d2c1946b71aa7a633c63da6a85066646748d6444001b7

SHA512
a4e87860a4c62cd336d27330df5b08e84add9d04859a4d39a4af8b9be705890033ce879949888ed5d925f3b65653345f935d0e5062ac8dd11eb98e48e0afb9bc

Download Submit
C:\Users\Admin\kqIIEcwU\xgcosEws.exe
MD5
d6553ab8cf7c246718a7ba35d770753f

SHA1
8c7b8eff4d36ca8cf634415398edbd1b61211ec2

SHA256
2703821449473f91087d2c1946b71aa7a633c63da6a85066646748d6444001b7

SHA512
a4e87860a4c62cd336d27330df5b08e84add9d04859a4d39a4af8b9be705890033ce879949888ed5d925f3b65653345f935d0e5062ac8dd11eb98e48e0afb9bc

Download Submit
memory/672-204-0x0000000000000000-mapping.dmp

Download
memory/740-170-0x0000000000000000-mapping.dmp

Download
memory/768-198-0x0000000000000000-mapping.dmp

Download
memory/784-156-0x0000000000000000-mapping.dmp

Download
memory/976-187-0x0000000000000000-mapping.dmp

Download
memory/980-202-0x0000000000000000-mapping.dmp

Download
memory/1020-181-0x0000000000000000-mapping.dmp

Download
memory/1288-199-0x0000000000000000-mapping.dmp

Download
memory/1336-160-0x0000000000000000-mapping.dmp

Download
memory/1344-138-0x0000000000000000-mapping.dmp

Download
memory/1500-137-0x0000000000000000-mapping.dmp

Download
memory/1632-144-0x0000000000000000-mapping.dmp

Download
memory/1632-173-0x0000000000000000-mapping.dmp

Download
memory/1704-126-0x0000000000000000-mapping.dmp

Download
memory/1976-180-0x0000000000000000-mapping.dmp

Download
memory/1976-125-0x0000000000000000-mapping.dmp

Download
memory/2100-191-0x0000000000000000-mapping.dmp

Download
memory/2104-206-0x0000000000000000-mapping.dmp

Download
memory/2168-162-0x0000000000000000-mapping.dmp

Download
memory/2224-133-0x0000000000000000-mapping.dmp

Download
memory/2224-158-0x0000000000000000-mapping.dmp

Download
memory/2248-151-0x0000000000000000-mapping.dmp

Download
memory/2256-114-0x0000000000000000-mapping.dmp

Download
memory/2264-189-0x0000000000000000-mapping.dmp

Download
memory/2268-149-0x0000000000000000-mapping.dmp

Download
memory/2276-131-0x0000000000000000-mapping.dmp

Download
memory/2300-141-0x0000000000000000-mapping.dmp

Download
memory/2308-172-0x0000000000000000-mapping.dmp

Download
memory/2364-183-0x0000000000000000-mapping.dmp

Download
memory/2552-178-0x0000000000000000-mapping.dmp

Download
memory/2672-147-0x0000000000000000-mapping.dmp

Download
memory/2736-140-0x0000000000000000-mapping.dmp

Download
memory/2808-188-0x0000000000000000-mapping.dmp

Download
memory/2840-132-0x0000000000000000-mapping.dmp

Download
memory/2856-200-0x0000000000000000-mapping.dmp

Download
memory/2860-122-0x0000000000000000-mapping.dmp

Download
memory/2888-139-0x0000000000000000-mapping.dmp

Download
memory/2888-124-0x0000000000000000-mapping.dmp

Download
memory/2972-171-0x0000000000000000-mapping.dmp

Download
memory/3008-182-0x0000000000000000-mapping.dmp

Download
memory/3008-194-0x0000000000000000-mapping.dmp

Download
memory/3012-123-0x0000000000000000-mapping.dmp

Download
memory/3052-201-0x0000000000000000-mapping.dmp

Download
memory/3068-146-0x0000000000000000-mapping.dmp

Download
memory/3256-169-0x0000000000000000-mapping.dmp

Download
memory/3316-142-0x0000000000000000-mapping.dmp

Download
memory/3444-117-0x0000000000000000-mapping.dmp

Download
memory/3688-165-0x0000000000000000-mapping.dmp

Download
memory/3704-179-0x0000000000000000-mapping.dmp

Download
memory/3704-128-0x0000000000000000-mapping.dmp

Download
memory/3716-135-0x0000000000000000-mapping.dmp

Download
memory/3784-129-0x0000000000000000-mapping.dmp

Download
memory/3784-208-0x0000000000000000-mapping.dmp

Download
memory/3784-186-0x0000000000000000-mapping.dmp

Download
memory/3784-153-0x0000000000000000-mapping.dmp

Download
memory/3796-175-0x0000000000000000-mapping.dmp

Download
memory/3800-130-0x0000000000000000-mapping.dmp

Download
memory/3824-185-0x0000000000000000-mapping.dmp

Download
memory/3892-163-0x0000000000000000-mapping.dmp

Download
memory/3912-159-0x0000000000000000-mapping.dmp

Download
memory/3944-145-0x0000000000000000-mapping.dmp

Download
memory/3944-161-0x0000000000000000-mapping.dmp

Download
memory/3972-168-0x0000000000000000-mapping.dmp

Download
memory/3988-196-0x0000000000000000-mapping.dmp

Download