111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Size

607KB
MD5

731722135b0186ccbce4e924ec43ff70
SHA1

4488df21de38e385e8942f317bf248743d2a854b
SHA256

111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
SHA512

5d9641302be7865957e223702bcbd9dc75303a04dbfb9709b72a758ebf015c606c3f61ae43616975e8fba63a29dd5e469133cef42f5c0d86e785b4b1a8e688fd
SSDEEP

12288:nWUTFrf1wrylZCQn0EeZ9N242YaWOrjX/CUP/p1WxFLBxjxriEpQS:nWyFrfhAEdFWO/X/CwvWxFBxjxriEX

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\WOoUoUAo\\woUQsQYc.exe,"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\WOoUoUAo\\woUQsQYc.exe,"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
5052	LiMAoswg.exe
784	woUQsQYc.exe
4232	GMAwscoc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LiMAoswg.exe = "C:\\Users\\Admin\\pKEsEAso\\LiMAoswg.exe"	LiMAoswg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\woUQsQYc.exe = "C:\\ProgramData\\WOoUoUAo\\woUQsQYc.exe"	woUQsQYc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\woUQsQYc.exe = "C:\\ProgramData\\WOoUoUAo\\woUQsQYc.exe"	GMAwscoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LiMAoswg.exe = "C:\\Users\\Admin\\pKEsEAso\\LiMAoswg.exe"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\woUQsQYc.exe = "C:\\ProgramData\\WOoUoUAo\\woUQsQYc.exe"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pKEsEAso	GMAwscoc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pKEsEAso\LiMAoswg	GMAwscoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4380	reg.exe
4560	reg.exe
740	reg.exe
3348	reg.exe
3036	reg.exe
4892	reg.exe
3464	reg.exe
1476	reg.exe
3980	reg.exe
4552	reg.exe
1604	reg.exe
4844	reg.exe
1816	reg.exe
4668	reg.exe
4604	reg.exe
3784	reg.exe
2684	reg.exe
3060	reg.exe
4920	reg.exe
1148	reg.exe
4220	reg.exe
360	reg.exe
4804	reg.exe
4172	reg.exe
1652	reg.exe
4484	reg.exe
4428	reg.exe
3416	reg.exe
3444	reg.exe
600	reg.exe
1188	reg.exe
1552	reg.exe
3784	reg.exe
4756	reg.exe
4620	reg.exe
1960	reg.exe
2608	reg.exe
4380	reg.exe
1972	reg.exe
1412	reg.exe
4920	reg.exe
2880	reg.exe
4836	reg.exe
2952	reg.exe
2584	reg.exe
4944	reg.exe
2552	reg.exe
2452	reg.exe
5104	reg.exe
5116	reg.exe
912	reg.exe
3560	reg.exe
2104	reg.exe
1136	reg.exe
780	reg.exe
3932	reg.exe
3468	reg.exe
3412	reg.exe
3872	reg.exe
4416	reg.exe
3984	reg.exe
3584	reg.exe
2580	reg.exe
4188	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
5036	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
5036	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
5036	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
5036	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
704	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
704	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
704	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
704	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4008	Conhost.exe
4008	Conhost.exe
4008	Conhost.exe
4008	Conhost.exe
3876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
1756	Conhost.exe
1756	Conhost.exe
1756	Conhost.exe
1756	Conhost.exe
3912	cscript.exe
3912	cscript.exe
3912	cscript.exe
3912	cscript.exe
3424	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3424	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3424	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3424	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
848	Conhost.exe
848	Conhost.exe
848	Conhost.exe
848	Conhost.exe
4840	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4840	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4840	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
4840	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
1516	reg.exe
1516	reg.exe
1516	reg.exe
1516	reg.exe
876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
876	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
3336	cmd.exe
3336	cmd.exe
3336	cmd.exe
3336	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 5052	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	83
PID 4720 wrote to memory of 5052	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	83
PID 4720 wrote to memory of 5052	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	83
PID 4720 wrote to memory of 784	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	84
PID 4720 wrote to memory of 784	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	84
PID 4720 wrote to memory of 784	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	84
PID 4720 wrote to memory of 3620	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	233
PID 4720 wrote to memory of 3620	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	233
PID 4720 wrote to memory of 3620	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	233
PID 4720 wrote to memory of 32	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	232
PID 4720 wrote to memory of 32	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	232
PID 4720 wrote to memory of 32	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	232
PID 3620 wrote to memory of 3896	3620	cmd.exe	87
PID 3620 wrote to memory of 3896	3620	cmd.exe	87
PID 3620 wrote to memory of 3896	3620	cmd.exe	87
PID 4720 wrote to memory of 2320	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	231
PID 4720 wrote to memory of 2320	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	231
PID 4720 wrote to memory of 2320	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	231
PID 4720 wrote to memory of 2484	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	229
PID 4720 wrote to memory of 2484	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	229
PID 4720 wrote to memory of 2484	4720	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	229
PID 3896 wrote to memory of 2944	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	228
PID 3896 wrote to memory of 2944	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	228
PID 3896 wrote to memory of 2944	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	228
PID 2944 wrote to memory of 2656	2944	cmd.exe	227
PID 2944 wrote to memory of 2656	2944	cmd.exe	227
PID 2944 wrote to memory of 2656	2944	cmd.exe	227
PID 3896 wrote to memory of 4756	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	226
PID 3896 wrote to memory of 4756	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	226
PID 3896 wrote to memory of 4756	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	226
PID 3896 wrote to memory of 4380	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	247
PID 3896 wrote to memory of 4380	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	247
PID 3896 wrote to memory of 4380	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	247
PID 3896 wrote to memory of 1476	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	223
PID 3896 wrote to memory of 1476	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	223
PID 3896 wrote to memory of 1476	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	223
PID 3896 wrote to memory of 1016	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	221
PID 3896 wrote to memory of 1016	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	221
PID 3896 wrote to memory of 1016	3896	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	221
PID 2656 wrote to memory of 712	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	219
PID 2656 wrote to memory of 712	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	219
PID 2656 wrote to memory of 712	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	219
PID 2656 wrote to memory of 4120	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	217
PID 2656 wrote to memory of 4120	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	217
PID 2656 wrote to memory of 4120	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	217
PID 2656 wrote to memory of 1576	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	216
PID 2656 wrote to memory of 1576	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	216
PID 2656 wrote to memory of 1576	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	216
PID 2656 wrote to memory of 4072	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	97
PID 2656 wrote to memory of 4072	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	97
PID 2656 wrote to memory of 4072	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	97
PID 2656 wrote to memory of 4912	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	95
PID 2656 wrote to memory of 4912	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	95
PID 2656 wrote to memory of 4912	2656	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	95
PID 712 wrote to memory of 4856	712	cmd.exe	93
PID 712 wrote to memory of 4856	712	cmd.exe	93
PID 712 wrote to memory of 4856	712	cmd.exe	93
PID 4856 wrote to memory of 1856	4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	214
PID 4856 wrote to memory of 1856	4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	214
PID 4856 wrote to memory of 1856	4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	214
PID 1856 wrote to memory of 5036	1856	cmd.exe	213
PID 1856 wrote to memory of 5036	1856	cmd.exe	213
PID 1856 wrote to memory of 5036	1856	cmd.exe	213
PID 4856 wrote to memory of 3084	4856	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe	99

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
"C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\pKEsEAso\LiMAoswg.exe
  "C:\Users\Admin\pKEsEAso\LiMAoswg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5052
- C:\ProgramData\WOoUoUAo\woUQsQYc.exe
  "C:\ProgramData\WOoUoUAo\woUQsQYc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:784
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:2320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:32
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620

C:\ProgramData\JoEQAwAo\GMAwscoc.exe
C:\ProgramData\JoEQAwAo\GMAwscoc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4232

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmYUUUcI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:1016
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4380
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYEQkQYU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3452
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giUEgUwM.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
1⤵
PID:4912
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIkckYw.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
1⤵
PID:584
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xucIMIcs.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:2940
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:32
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
1⤵
PID:2980
- C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
  C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
  2⤵
  PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYAssUEI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
    3⤵
    PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAwAcMkk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
1⤵
PID:4348
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuMcEEAI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:3452
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkMQMkEk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4944
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:2876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:712
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:1032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmAQgUgk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1948
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:3728

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuQIUccU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:3588
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4288
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqQkssYE.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1176
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:3728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        8⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        9⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGgskwYw.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        8⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4120
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgoMwccQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2648
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3804
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSgIIIUg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:2584
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3984
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:5116

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:4840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUYQIAYU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmgMEUsk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1788
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2408
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEAUAQAI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1620
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4416
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3804
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:4820
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faQoosAg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:628
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5068
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1860
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:3896
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3932
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYEcUkUE.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
1⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
1⤵
PID:4328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1396

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEYEEcsw.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
1⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4624
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
1⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
1⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3344

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:1852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        7⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQwMAwYw.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        8⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        8⤵
        
        PID:1768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAscQYQk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2600
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3416
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3060
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqAAEUgk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:500
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2016
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkMYcwoY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:4240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIwocoIY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:4036
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:364
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4280
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMMocIAU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:3240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIUYoAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:4820
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:4428
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCYoMIMY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2180
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIIwYogU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:3188
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmokkAgU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      Modifies registry key
      PID:4920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4552
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:2804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:500
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4172

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoUgoUYk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoUgsUQY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:3472
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqokwEog.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:936
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:516
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:2236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:4000
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:3900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XusAMwws.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:4740
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3992
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:4236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkgEksEk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:600
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SasAosgs.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:3640
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3428
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4380
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuYggMAg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:4924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2376
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:3888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmwYkMQs.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:1984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:5028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4780
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:1236

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YukkoMsw.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:3476
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1828
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:2436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
  C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
    3⤵
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
      C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwUUYgwM.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        5⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2308
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        5⤵
        
        PID:804
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqIUgwAY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2608
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3444

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:4156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWgEAgwM.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:4700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYAgoYkk.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:4484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKsgAcYY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:4380
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4516
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:1868
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4680

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:3384
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMEkUwwU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:4612
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5056
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuckAwgY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMkoksUM.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:4028
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2096
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4560
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeEQQIwI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1396
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2276
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:3188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saYAcQks.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3952
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5100

C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
1⤵
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
  2⤵
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
    C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
      4⤵
      PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        5⤵
        
        PID:4700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        6⤵
        
        PID:2592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        UAC bypass
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        7⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        8⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        9⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        10⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        11⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        12⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        UAC bypass
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        13⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        14⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        15⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        16⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        17⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        18⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        19⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        20⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        21⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        22⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        23⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        24⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        25⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        26⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        27⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        28⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        29⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        30⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        31⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        32⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        33⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        34⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        35⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwYcAosg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        36⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        36⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaYosYUg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        34⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgwgsowA.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        32⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgwkMwEs.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        30⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMoUQMYI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        28⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paAcUkcE.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        26⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyUQQAgU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        24⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgUwgcko.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        22⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:1148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEcsEsUM.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        20⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyAkMMwU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        18⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQIwQIkI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        16⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEoMcAwY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        14⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        UAC bypass
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMgEEooM.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        12⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQQUMQgE.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        10⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeoMUAgc.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYwcwEMU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        6⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4752
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeYMEEgU.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4324
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4832
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuEgAkAw.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:1964
- C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
  C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
    3⤵
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
      C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        5⤵
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        6⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        8⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        10⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        11⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        12⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        13⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        14⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        15⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        16⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        17⤵
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        18⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        19⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        20⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        21⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        22⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        23⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        24⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        25⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        26⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        27⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        28⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        29⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        30⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        31⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        32⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        33⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        34⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        35⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        36⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        37⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        38⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        39⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        40⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        41⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        42⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        43⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        44⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        45⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        46⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        47⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        48⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        49⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        50⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        51⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe
        
        C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83
        52⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83"
        53⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKkcgMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        49⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqsIYcAc.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        47⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwAYgYAo.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        45⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        Modifies registry key
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGswcEgY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        43⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOEEUYEI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        41⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        Modifies registry key
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMYQosUI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        39⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqYkwQIA.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        37⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEIsYwwI.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        35⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsMoMsYE.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        33⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgQkkIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        31⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIcUUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        29⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmAkwAMg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        27⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQEMcsQg.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        25⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMwwYIwo.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        23⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        Modifies registry key
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuUYMIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        UAC bypass
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        Modifies registry key
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWYgQYsc.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        19⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        UAC bypass
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        
        PID:504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQIgIIsY.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        17⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        
        PID:2652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaocwoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        15⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQEIsMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        13⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        Modifies registry key
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSEwIkgM.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        11⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAYEcUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        9⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkUwwwos.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        7⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4924
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4224
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGgokgYs.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
        5⤵
        
        PID:780
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4952
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3820
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3412
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMIIMQEc.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
    3⤵
    PID:2688
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3132
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:4604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voIcgAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83.exe""
1⤵
PID:800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JoEQAwAo\GMAwscoc.exe

Filesize
481KB

MD5
496db6d5c44ca541b00be622dd28e5e3

SHA1
5ed160cb8b7b3eb0dc56f1f91afa6b7c9bcb92f4

SHA256
be640758e6fae5eb343cfbf3fa29899a72a237497da209e4a9954ddc9f9676d3

SHA512
a845b27cf6e5567f196b682c3811e84226d83a6cf9faf4831be35ddfaca808bbe0568e7a5d67fdfff1e88eccfbf601404274efb2bf0283d3b87dbf59d614b511

Download Submit
C:\ProgramData\JoEQAwAo\GMAwscoc.exe

Filesize
481KB

MD5
496db6d5c44ca541b00be622dd28e5e3

SHA1
5ed160cb8b7b3eb0dc56f1f91afa6b7c9bcb92f4

SHA256
be640758e6fae5eb343cfbf3fa29899a72a237497da209e4a9954ddc9f9676d3

SHA512
a845b27cf6e5567f196b682c3811e84226d83a6cf9faf4831be35ddfaca808bbe0568e7a5d67fdfff1e88eccfbf601404274efb2bf0283d3b87dbf59d614b511

Download Submit
C:\ProgramData\WOoUoUAo\woUQsQYc.exe

Filesize
481KB

MD5
4c8d9f792399944339b2db8a98514330

SHA1
edaacb13ee3129942a244bab536b4d3692f0b6bc

SHA256
ea10046a80ee5281dd00448715d7d51b1404fdb072cbcc38d96c86efb6c912b0

SHA512
f322fab287ab20b4e41debbdabb60ca480ef4afc26273ad5b51e7435b8faa4771057b68fe3ba5fdbb78514bb61bc1ab02fde8a1fc933bddbc95704b21521946a

Download Submit
C:\ProgramData\WOoUoUAo\woUQsQYc.exe

Filesize
481KB

MD5
4c8d9f792399944339b2db8a98514330

SHA1
edaacb13ee3129942a244bab536b4d3692f0b6bc

SHA256
ea10046a80ee5281dd00448715d7d51b1404fdb072cbcc38d96c86efb6c912b0

SHA512
f322fab287ab20b4e41debbdabb60ca480ef4afc26273ad5b51e7435b8faa4771057b68fe3ba5fdbb78514bb61bc1ab02fde8a1fc933bddbc95704b21521946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\111e86aacb8bd52339cdfff3cb8b4d34aba611f31edd26968048b6c087840d83

Filesize
120KB

MD5
91f7ecd44a3fbe9ebd279a08c428a71c

SHA1
daba8d455f8970bfaed98318c1e7da0b213525b9

SHA256
52369bfb5a09b74afed8d2ef699740d200bd003f909660d12a47c852d2b0ec2f

SHA512
2e71f91d5856b68c96b1257c92c7b9acb1a21a66317c2a00f631ee131c735679bb065c149457a017cd56dea3386d1da402075ffdec754557d5c495dccb57717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwAcMkk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIIwYogU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmYUUUcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LuQIUccU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYEQkQYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAscQYQk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEIkckYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUgsUQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZUYQIAYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\giUEgUwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEAUAQAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMocIAU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQwMAwYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYEcUkUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYAssUEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEYEEcsw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuMcEEAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkMYcwoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xucIMIcs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoUgoUYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\pKEsEAso\LiMAoswg.exe

Filesize
485KB

MD5
4c3069ab9c8c5f2cf9ff2a1bba625e0d

SHA1
cd36c15ee53ff4c3e15b58cf32c284ddbd9575ef

SHA256
66b82a42af3a265847163111c88edc706acc9e4b590b6fce29f7d7646e5949fb

SHA512
310d9fe3a7f8da5f51b122567325d276b756902bab78692ef8b2ba6dfbf6ab28b0e2b28775ec722302023acaf0e8738c69f0d0aae4e4fd6a6f7524618c5929d4

Download Submit
C:\Users\Admin\pKEsEAso\LiMAoswg.exe

Filesize
485KB

MD5
4c3069ab9c8c5f2cf9ff2a1bba625e0d

SHA1
cd36c15ee53ff4c3e15b58cf32c284ddbd9575ef

SHA256
66b82a42af3a265847163111c88edc706acc9e4b590b6fce29f7d7646e5949fb

SHA512
310d9fe3a7f8da5f51b122567325d276b756902bab78692ef8b2ba6dfbf6ab28b0e2b28775ec722302023acaf0e8738c69f0d0aae4e4fd6a6f7524618c5929d4

Download Submit
memory/32-145-0x0000000000000000-mapping.dmp

Download
memory/32-209-0x0000000000000000-mapping.dmp

Download
memory/488-230-0x0000000000000000-mapping.dmp

Download
memory/584-187-0x0000000000000000-mapping.dmp

Download
memory/596-207-0x0000000000000000-mapping.dmp

Download
memory/704-183-0x0000000000000000-mapping.dmp

Download
memory/704-201-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/704-188-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/712-160-0x0000000000000000-mapping.dmp

Download
memory/784-257-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/784-138-0x0000000000000000-mapping.dmp

Download
memory/784-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/792-210-0x0000000000000000-mapping.dmp

Download
memory/848-252-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/848-248-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/876-267-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/876-265-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/936-234-0x0000000000000000-mapping.dmp

Download
memory/1016-155-0x0000000000000000-mapping.dmp

Download
memory/1032-311-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1036-309-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1108-198-0x0000000000000000-mapping.dmp

Download
memory/1336-298-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1476-154-0x0000000000000000-mapping.dmp

Download
memory/1516-291-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1516-262-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1516-293-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1532-191-0x0000000000000000-mapping.dmp

Download
memory/1576-162-0x0000000000000000-mapping.dmp

Download
memory/1756-221-0x0000000000000000-mapping.dmp

Download
memory/1756-236-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1756-233-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1844-317-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1852-275-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1856-171-0x0000000000000000-mapping.dmp

Download
memory/1868-223-0x0000000000000000-mapping.dmp

Download
memory/1924-180-0x0000000000000000-mapping.dmp

Download
memory/1948-239-0x0000000000000000-mapping.dmp

Download
memory/2144-241-0x0000000000000000-mapping.dmp

Download
memory/2228-175-0x0000000000000000-mapping.dmp

Download
memory/2260-314-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2272-316-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2272-318-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2276-184-0x0000000000000000-mapping.dmp

Download
memory/2320-211-0x0000000000000000-mapping.dmp

Download
memory/2320-147-0x0000000000000000-mapping.dmp

Download
memory/2352-301-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2484-148-0x0000000000000000-mapping.dmp

Download
memory/2584-231-0x0000000000000000-mapping.dmp

Download
memory/2656-151-0x0000000000000000-mapping.dmp

Download
memory/2656-166-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2656-158-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2688-307-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2688-308-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2940-212-0x0000000000000000-mapping.dmp

Download
memory/2944-150-0x0000000000000000-mapping.dmp

Download
memory/2980-228-0x0000000000000000-mapping.dmp

Download
memory/3056-322-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3056-321-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3064-200-0x0000000000000000-mapping.dmp

Download
memory/3084-173-0x0000000000000000-mapping.dmp

Download
memory/3312-197-0x0000000000000000-mapping.dmp

Download
memory/3336-271-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3348-205-0x0000000000000000-mapping.dmp

Download
memory/3424-247-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3424-245-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3476-216-0x0000000000000000-mapping.dmp

Download
memory/3536-305-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3620-144-0x0000000000000000-mapping.dmp

Download
memory/3652-303-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3652-304-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3752-313-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3752-312-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3776-297-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3824-224-0x0000000000000000-mapping.dmp

Download
memory/3876-219-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3876-225-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3876-208-0x0000000000000000-mapping.dmp

Download
memory/3896-157-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3896-146-0x0000000000000000-mapping.dmp

Download
memory/3900-306-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3912-237-0x0000000000000000-mapping.dmp

Download
memory/3912-242-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3960-232-0x0000000000000000-mapping.dmp

Download
memory/3980-220-0x0000000000000000-mapping.dmp

Download
memory/4008-202-0x0000000000000000-mapping.dmp

Download
memory/4008-280-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4008-276-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4008-213-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4072-163-0x0000000000000000-mapping.dmp

Download
memory/4120-161-0x0000000000000000-mapping.dmp

Download
memory/4156-315-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4228-320-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4232-156-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4328-218-0x0000000000000000-mapping.dmp

Download
memory/4348-235-0x0000000000000000-mapping.dmp

Download
memory/4348-174-0x0000000000000000-mapping.dmp

Download
memory/4372-323-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4380-153-0x0000000000000000-mapping.dmp

Download
memory/4416-222-0x0000000000000000-mapping.dmp

Download
memory/4516-190-0x0000000000000000-mapping.dmp

Download
memory/4596-185-0x0000000000000000-mapping.dmp

Download
memory/4624-199-0x0000000000000000-mapping.dmp

Download
memory/4624-302-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4680-196-0x0000000000000000-mapping.dmp

Download
memory/4720-133-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4720-132-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4732-310-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4756-284-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4756-152-0x0000000000000000-mapping.dmp

Download
memory/4764-186-0x0000000000000000-mapping.dmp

Download
memory/4792-193-0x0000000000000000-mapping.dmp

Download
memory/4796-288-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4804-176-0x0000000000000000-mapping.dmp

Download
memory/4828-178-0x0000000000000000-mapping.dmp

Download
memory/4840-319-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4840-255-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4856-169-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4856-177-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4856-165-0x0000000000000000-mapping.dmp

Download
memory/4912-164-0x0000000000000000-mapping.dmp

Download
memory/5036-189-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5036-172-0x0000000000000000-mapping.dmp

Download
memory/5052-134-0x0000000000000000-mapping.dmp

Download
memory/5052-137-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5052-256-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5112-299-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/5112-300-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download