f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Size

440KB
MD5

4e95dd509b07d6db6dbda57435cf93a0
SHA1

64f5bd9bfa61e5f9cbedcdd17bbdc9927c033af2
SHA256

f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
SHA512

ebae596e1ae599e974a2779bfb438f3494977b3eb1d7839cc78b25eaa49d6a8ff82e467c59035f308f896c127611cc35d4a4cfeb92b52631bc0547944cbe8aa8
SSDEEP

12288:xwjRTCUts6Y9uQMZrL77QIuX9zG8uj5Hb+AqD:6dfNvQMZ77QJLu1iAqD

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 44 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 44 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2548	SsIEUkgY.exe
4832	tYEMsUsQ.exe
4580	YKEEMkMs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SsIEUkgY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tYEMsUsQ.exe = "C:\\ProgramData\\UiggEIIE\\tYEMsUsQ.exe"	YKEEMkMs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SsIEUkgY.exe = "C:\\Users\\Admin\\jSsMEUMc\\SsIEUkgY.exe"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tYEMsUsQ.exe = "C:\\ProgramData\\UiggEIIE\\tYEMsUsQ.exe"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SsIEUkgY.exe = "C:\\Users\\Admin\\jSsMEUMc\\SsIEUkgY.exe"	SsIEUkgY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tYEMsUsQ.exe = "C:\\ProgramData\\UiggEIIE\\tYEMsUsQ.exe"	tYEMsUsQ.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	SsIEUkgY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jSsMEUMc	YKEEMkMs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\jSsMEUMc\SsIEUkgY	YKEEMkMs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2992	reg.exe
1876	reg.exe
3900	reg.exe
1268	reg.exe
4228	reg.exe
936	reg.exe
3788	reg.exe
4352	reg.exe
1148	reg.exe
1608	reg.exe
4236	reg.exe
780	reg.exe
4704	reg.exe
1760	reg.exe
4284	reg.exe
1592	reg.exe
3208	reg.exe
3836	reg.exe
3640	reg.exe
1672	reg.exe
2488	reg.exe
4792	reg.exe
1696	reg.exe
1112	reg.exe
4796	reg.exe
1884	reg.exe
4540	reg.exe
3180	reg.exe
4184	reg.exe
4684	reg.exe
2080	reg.exe
4684	reg.exe
3120	reg.exe
3696	reg.exe
1028	reg.exe
4460	reg.exe
4152	reg.exe
2252	reg.exe
1212	reg.exe
5000	reg.exe
2488	reg.exe
1832	reg.exe
1032	reg.exe
4524	reg.exe
1688	reg.exe
1436	reg.exe
400	reg.exe
4944	reg.exe
1148	reg.exe
1888	reg.exe
3516	reg.exe
2816	reg.exe
5036	reg.exe
2576	reg.exe
2336	reg.exe
4016	reg.exe
60	reg.exe
4332	reg.exe
4508	reg.exe
3452	reg.exe
2220	reg.exe
5092	reg.exe
616	reg.exe
4400	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
2912	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
2912	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
2912	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
2912	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4276	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4276	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4276	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4276	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1108	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1108	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1108	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
1108	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4036	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4036	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4036	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4036	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4972	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4972	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4972	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4972	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
792	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
792	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
792	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
792	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
512	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
512	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
512	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
512	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3020	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3020	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3020	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3020	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3688	Conhost.exe
3688	Conhost.exe
3688	Conhost.exe
3688	Conhost.exe
2812	Conhost.exe
2812	Conhost.exe
2812	Conhost.exe
2812	Conhost.exe
3184	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3184	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3184	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3184	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4740	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4740	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4740	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
4740	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
3760	cmd.exe
3760	cmd.exe
3760	cmd.exe
3760	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2548	SsIEUkgY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe
2548	SsIEUkgY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2548	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	81
PID 1196 wrote to memory of 2548	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	81
PID 1196 wrote to memory of 2548	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	81
PID 1196 wrote to memory of 4832	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	82
PID 1196 wrote to memory of 4832	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	82
PID 1196 wrote to memory of 4832	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	82
PID 1196 wrote to memory of 4680	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	84
PID 1196 wrote to memory of 4680	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	84
PID 1196 wrote to memory of 4680	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	84
PID 1196 wrote to memory of 4796	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	86
PID 1196 wrote to memory of 4796	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	86
PID 1196 wrote to memory of 4796	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	86
PID 1196 wrote to memory of 4800	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	89
PID 1196 wrote to memory of 4800	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	89
PID 1196 wrote to memory of 4800	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	89
PID 4680 wrote to memory of 1092	4680	cmd.exe	88
PID 4680 wrote to memory of 1092	4680	cmd.exe	88
PID 4680 wrote to memory of 1092	4680	cmd.exe	88
PID 1196 wrote to memory of 3760	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	90
PID 1196 wrote to memory of 3760	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	90
PID 1196 wrote to memory of 3760	1196	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	90
PID 1092 wrote to memory of 400	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	93
PID 1092 wrote to memory of 400	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	93
PID 1092 wrote to memory of 400	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	93
PID 1092 wrote to memory of 4632	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	95
PID 1092 wrote to memory of 4632	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	95
PID 1092 wrote to memory of 4632	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	95
PID 1092 wrote to memory of 2600	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	102
PID 1092 wrote to memory of 2600	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	102
PID 1092 wrote to memory of 2600	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	102
PID 1092 wrote to memory of 1884	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	97
PID 1092 wrote to memory of 1884	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	97
PID 1092 wrote to memory of 1884	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	97
PID 1092 wrote to memory of 4676	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	100
PID 1092 wrote to memory of 4676	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	100
PID 1092 wrote to memory of 4676	1092	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	100
PID 400 wrote to memory of 4776	400	cmd.exe	103
PID 400 wrote to memory of 4776	400	cmd.exe	103
PID 400 wrote to memory of 4776	400	cmd.exe	103
PID 4776 wrote to memory of 2308	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	104
PID 4776 wrote to memory of 2308	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	104
PID 4776 wrote to memory of 2308	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	104
PID 2308 wrote to memory of 2912	2308	cmd.exe	106
PID 2308 wrote to memory of 2912	2308	cmd.exe	106
PID 2308 wrote to memory of 2912	2308	cmd.exe	106
PID 4776 wrote to memory of 1212	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	107
PID 4776 wrote to memory of 1212	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	107
PID 4776 wrote to memory of 1212	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	107
PID 4776 wrote to memory of 3768	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	110
PID 4776 wrote to memory of 3768	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	110
PID 4776 wrote to memory of 3768	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	110
PID 4776 wrote to memory of 3836	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	109
PID 4776 wrote to memory of 3836	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	109
PID 4776 wrote to memory of 3836	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	109
PID 4776 wrote to memory of 3648	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	111
PID 4776 wrote to memory of 3648	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	111
PID 4776 wrote to memory of 3648	4776	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	111
PID 4676 wrote to memory of 1432	4676	cmd.exe	114
PID 4676 wrote to memory of 1432	4676	cmd.exe	114
PID 4676 wrote to memory of 1432	4676	cmd.exe	114
PID 2912 wrote to memory of 4348	2912	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	116
PID 2912 wrote to memory of 4348	2912	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	116
PID 2912 wrote to memory of 4348	2912	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe	116
PID 3648 wrote to memory of 2852	3648	cmd.exe	118

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
"C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\jSsMEUMc\SsIEUkgY.exe
  "C:\Users\Admin\jSsMEUMc\SsIEUkgY.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2548
- C:\ProgramData\UiggEIIE\tYEMsUsQ.exe
  "C:\ProgramData\UiggEIIE\tYEMsUsQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
    C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        8⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        10⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        12⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        14⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        16⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        18⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        20⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        22⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        23⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        24⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        25⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        26⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        28⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        30⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        31⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        32⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        33⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        34⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        35⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        36⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        37⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        38⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        39⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        40⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        41⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        42⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        43⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        44⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        45⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        46⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        47⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        48⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        49⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        50⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        51⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        52⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        53⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        54⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        55⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        56⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        57⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        58⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        59⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        60⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        61⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        62⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        63⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        64⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        65⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        66⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        67⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        68⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        69⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        70⤵
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        UAC bypass
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        71⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        72⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        73⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        74⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        75⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        76⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        77⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        78⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        79⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        80⤵
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        UAC bypass
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        81⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        82⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        83⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        84⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        85⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        86⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe
        
        C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0
        87⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0"
        88⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOscwEEk.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        88⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\migkssoc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        86⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUoUIgMg.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        84⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KskUsggM.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        82⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOEcYcMo.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        80⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEcwcYkI.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        78⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaMsUIws.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        76⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkQkIwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        74⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiEIYEMI.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        72⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hesokAoI.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        70⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osEYoUMg.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaMsoAcg.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMkIsEAw.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        64⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwccYgwY.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        62⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKwoUwsY.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        60⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KocoYgAk.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        58⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIEcAAkA.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        56⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSQYIssI.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        54⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmYwwcoc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        52⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAMUocQE.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        50⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEYMIEEc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        48⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcUwEokE.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        46⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSIsYUEs.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        44⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swckkQcE.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        42⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAMkEwQM.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        40⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkUEUEAs.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        38⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkQYAckE.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        36⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoIMAEQE.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        34⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCQgksEQ.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        32⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIkgMAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        30⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKwwwMok.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        28⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUwEUgIM.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        26⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        UAC bypass
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWMckQEc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        24⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaEQgAog.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        22⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egEggMoY.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        20⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWskkEkU.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        18⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYEQAUoY.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        16⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqcsMoow.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        14⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIcIAwgc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        12⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCsQEcss.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        10⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiAgsUcc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2768
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3836
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwsIckAQ.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2852
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSoAMMAc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2600
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4800
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsckksgc.bat" "C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0.exe""
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3032

C:\ProgramData\IekMMcAM\YKEEMkMs.exe
C:\ProgramData\IekMMcAM\YKEEMkMs.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2920

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv V9pSgVP5mUC+Uoujn2yOBw.0.2
1⤵
PID:2080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2320

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IekMMcAM\YKEEMkMs.exe

Filesize
434KB

MD5
f2dbfd028e1a237a9d645ae3a74fdc1f

SHA1
7152fa168769246a336169b48ea9a42a56921961

SHA256
8d4de771c0336a40f504d6e7c1d7ece7acbf1666e08ac6db27ae53f315317d75

SHA512
d9818bc6099f9ccb42c65bfd0bf7f9d383355ede234a75f387187612d479a9c024422bd086d5effc2fc842008765deb3088d3b1a3eeb542a273a5f8d280cef0e

Download Submit
C:\ProgramData\IekMMcAM\YKEEMkMs.exe

Filesize
434KB

MD5
f2dbfd028e1a237a9d645ae3a74fdc1f

SHA1
7152fa168769246a336169b48ea9a42a56921961

SHA256
8d4de771c0336a40f504d6e7c1d7ece7acbf1666e08ac6db27ae53f315317d75

SHA512
d9818bc6099f9ccb42c65bfd0bf7f9d383355ede234a75f387187612d479a9c024422bd086d5effc2fc842008765deb3088d3b1a3eeb542a273a5f8d280cef0e

Download Submit
C:\ProgramData\UiggEIIE\tYEMsUsQ.exe

Filesize
435KB

MD5
3b2a6e36fa424ab66bf50308dc202ee9

SHA1
d12adeadab861a733d5e153b94fb753825898dbf

SHA256
a5f3984291e176a92d113f9e3eabc15872c29eeaf6bd48663e542f4a3ca81d3e

SHA512
cae5ee3d979b7075b315de52ed1aad1559fb0c3865e67e6372bccb6b58dc0f54e459fec151f2836516bb955f9fce151e49f1669cc8cacb4d5a121f115c8f5217

Download Submit
C:\ProgramData\UiggEIIE\tYEMsUsQ.exe

Filesize
435KB

MD5
3b2a6e36fa424ab66bf50308dc202ee9

SHA1
d12adeadab861a733d5e153b94fb753825898dbf

SHA256
a5f3984291e176a92d113f9e3eabc15872c29eeaf6bd48663e542f4a3ca81d3e

SHA512
cae5ee3d979b7075b315de52ed1aad1559fb0c3865e67e6372bccb6b58dc0f54e459fec151f2836516bb955f9fce151e49f1669cc8cacb4d5a121f115c8f5217

Download Submit
C:\Users\Admin\AppData\Local\Temp\CqcsMoow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\DSoAMMAc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUwEUgIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIcIAwgc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIkgMAIQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWMckQEc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaEQgAog.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkQYAckE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKwwwMok.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWskkEkU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoIMAEQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkUEUEAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwsIckAQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\egEggMoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c4fbe57e73531e344e7d96acc8222d27c04c0a4c1bfb7be5f03d95f0e262f0

Filesize
6KB

MD5
a137db26123ef0010b9a5a32a99280dc

SHA1
5bf02a4fb41d55ec25ba5ae0d884a6f27427f3e6

SHA256
ba3f69d25e4e77c54b430ccb1cd5af85fff66ec22689f0db6a9bed4fe3733bfd

SHA512
b5b971b7ed99c5682896e8bbfd1aaf93e0a72aa7a4219f93908b98770a0104c6bfd81f6d0b15588a6aceffd99fa305cff0ba4946a6a27675804a273598b83e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCQgksEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCsQEcss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\swckkQcE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMkEwQM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYEQAUoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiAgsUcc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\jSsMEUMc\SsIEUkgY.exe

Filesize
432KB

MD5
552fb7219722a2e81e806615881df85f

SHA1
3de21074f63ea887a92c309e4c7d1300bf42e33b

SHA256
84cb00c8ae971bed0fa0d7bca909ae126dc87c5f17ec46d0d435b2af3835e04e

SHA512
674afbd28a3f1fcfc2c7a613c4f20ef099f14cd81009d906501df23f81164cff9ff257387ff8fdb6fb007bfc3000efeeb12156940e10d235a6181270911d8c5a

Download Submit
C:\Users\Admin\jSsMEUMc\SsIEUkgY.exe

Filesize
432KB

MD5
552fb7219722a2e81e806615881df85f

SHA1
3de21074f63ea887a92c309e4c7d1300bf42e33b

SHA256
84cb00c8ae971bed0fa0d7bca909ae126dc87c5f17ec46d0d435b2af3835e04e

SHA512
674afbd28a3f1fcfc2c7a613c4f20ef099f14cd81009d906501df23f81164cff9ff257387ff8fdb6fb007bfc3000efeeb12156940e10d235a6181270911d8c5a

Download Submit
memory/8-307-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/372-306-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/512-236-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/512-241-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/792-304-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/792-235-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/848-295-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1092-157-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1108-190-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1108-201-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1196-132-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1196-316-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1196-246-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1488-297-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1688-300-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1696-282-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1696-281-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1828-314-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2100-305-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2240-320-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2320-272-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2320-270-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2548-136-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2548-278-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2608-298-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2608-299-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2812-254-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2912-167-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2912-177-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2916-310-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3020-245-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3100-309-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3100-308-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3180-317-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3184-258-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3184-255-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3288-276-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3596-303-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3640-302-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3640-301-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3644-312-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3644-313-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3688-250-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3760-267-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3840-319-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3840-318-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3872-323-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3872-322-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4036-211-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4276-189-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4288-296-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4460-290-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4460-288-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4580-148-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4676-311-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4740-263-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4776-165-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4776-287-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4816-315-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4832-280-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4832-146-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4972-216-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4972-223-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5000-321-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download