fe51da10c124ccb19506e5756dc085ae9acbb7fa3d643574d51fa3434da8b9e5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10be76fd5d5e9cbea101cf33bdac7a42.exe
Size

484KB
MD5

10be76fd5d5e9cbea101cf33bdac7a42
SHA1

c13a641eaac8f8f769d844a59787d203adf9b162
SHA256

fe51da10c124ccb19506e5756dc085ae9acbb7fa3d643574d51fa3434da8b9e5
SHA512

f9268dc8e64c3324eca94e380852910e6d06f944856257becc84f68fd900c463c362e172df0706298e11d5f984dae59de069f6138d8cd296835053ff168cb2ec
SSDEEP

6144:yTRxDWum7EKVYLDhnGXo6M22WffQcXND+jaTXwhcAd6biCbhEHJ5fE3uFj9jqLXy:OxDWuAEOo6M2GpjaUcAd2bmHouFj9GL

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
41	2216	cscript.exe
44	2216	cscript.exe
48	2216	cscript.exe
49	2216	cscript.exe
51	2216	cscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	SwwcsgIw.exe

Executes dropped EXE 3 IoCs

pid	Process
3140	fogokUkM.exe
2392	SwwcsgIw.exe
3816	CiEQQMwI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SwwcsgIw.exe = "C:\\ProgramData\\iqwIEsoc\\SwwcsgIw.exe"	CiEQQMwI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSAYUwAw.exe = "C:\\Users\\Admin\\nsoUAEAI\\CSAYUwAw.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ssIsIscw.exe = "C:\\ProgramData\\iEAwQEMQ\\ssIsIscw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fogokUkM.exe = "C:\\Users\\Admin\\cEwwIcMo\\fogokUkM.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SwwcsgIw.exe = "C:\\ProgramData\\iqwIEsoc\\SwwcsgIw.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SwwcsgIw.exe = "C:\\ProgramData\\iqwIEsoc\\SwwcsgIw.exe"	SwwcsgIw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fogokUkM.exe = "C:\\Users\\Admin\\cEwwIcMo\\fogokUkM.exe"	fogokUkM.exe

Checks whether UAC is enabled 1 TTPs 50 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	10be76fd5d5e9cbea101cf33bdac7a42.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	10be76fd5d5e9cbea101cf33bdac7a42.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\cEwwIcMo	CiEQQMwI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\cEwwIcMo\fogokUkM	CiEQQMwI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	SwwcsgIw.exe
File opened for modification	C:\Windows\SysWOW64\sheSaveStart.zip	SwwcsgIw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
688	4388	WerFault.exe
4876	1764	WerFault.exe	390
2684	3068	WerFault.exe	389

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4880	reg.exe
3304	reg.exe
400	reg.exe
3728	reg.exe
4092	reg.exe
4704	reg.exe
2684	reg.exe
728	reg.exe
4624	reg.exe
4136	reg.exe
2892	reg.exe
5088	reg.exe
380	reg.exe
4120	reg.exe
4748	reg.exe
2792	reg.exe
1412	reg.exe
400	reg.exe
1840	reg.exe
1684	reg.exe
1484	reg.exe
1172	reg.exe
4812	reg.exe
3784	reg.exe
2500	reg.exe
400	reg.exe
4704	reg.exe
4968	reg.exe
3916	reg.exe
3344	reg.exe
2116	reg.exe
2580	reg.exe
4484	reg.exe
2112	reg.exe
688	reg.exe
380	reg.exe
1376	reg.exe
2620	reg.exe
804	reg.exe
2400	reg.exe
1652	reg.exe
796	reg.exe
2220	reg.exe
4552	reg.exe
1292	reg.exe
1032	reg.exe
4328	reg.exe
4560	reg.exe
4184	reg.exe
1368	reg.exe
4144	reg.exe
2328	reg.exe
1364	reg.exe
1092	reg.exe
4464	reg.exe
4828	reg.exe
380	reg.exe
740	reg.exe
3968	reg.exe
4024	reg.exe
2220	reg.exe
1428	reg.exe
540	reg.exe
400	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3428	10be76fd5d5e9cbea101cf33bdac7a42.exe
3428	10be76fd5d5e9cbea101cf33bdac7a42.exe
3428	10be76fd5d5e9cbea101cf33bdac7a42.exe
3428	10be76fd5d5e9cbea101cf33bdac7a42.exe
2520	10be76fd5d5e9cbea101cf33bdac7a42.exe
2520	10be76fd5d5e9cbea101cf33bdac7a42.exe
2520	10be76fd5d5e9cbea101cf33bdac7a42.exe
2520	10be76fd5d5e9cbea101cf33bdac7a42.exe
2020	10be76fd5d5e9cbea101cf33bdac7a42.exe
2020	10be76fd5d5e9cbea101cf33bdac7a42.exe
2020	10be76fd5d5e9cbea101cf33bdac7a42.exe
2020	10be76fd5d5e9cbea101cf33bdac7a42.exe
4924	10be76fd5d5e9cbea101cf33bdac7a42.exe
4924	10be76fd5d5e9cbea101cf33bdac7a42.exe
4924	10be76fd5d5e9cbea101cf33bdac7a42.exe
4924	10be76fd5d5e9cbea101cf33bdac7a42.exe
3068	cmd.exe
3068	cmd.exe
3068	cmd.exe
3068	cmd.exe
4192	10be76fd5d5e9cbea101cf33bdac7a42.exe
4192	10be76fd5d5e9cbea101cf33bdac7a42.exe
4192	10be76fd5d5e9cbea101cf33bdac7a42.exe
4192	10be76fd5d5e9cbea101cf33bdac7a42.exe
740	10be76fd5d5e9cbea101cf33bdac7a42.exe
740	10be76fd5d5e9cbea101cf33bdac7a42.exe
740	10be76fd5d5e9cbea101cf33bdac7a42.exe
740	10be76fd5d5e9cbea101cf33bdac7a42.exe
2816	10be76fd5d5e9cbea101cf33bdac7a42.exe
2816	10be76fd5d5e9cbea101cf33bdac7a42.exe
2816	10be76fd5d5e9cbea101cf33bdac7a42.exe
2816	10be76fd5d5e9cbea101cf33bdac7a42.exe
2812	reg.exe
2812	reg.exe
2812	reg.exe
2812	reg.exe
4704	10be76fd5d5e9cbea101cf33bdac7a42.exe
4704	10be76fd5d5e9cbea101cf33bdac7a42.exe
4704	10be76fd5d5e9cbea101cf33bdac7a42.exe
4704	10be76fd5d5e9cbea101cf33bdac7a42.exe
5028	10be76fd5d5e9cbea101cf33bdac7a42.exe
5028	10be76fd5d5e9cbea101cf33bdac7a42.exe
5028	10be76fd5d5e9cbea101cf33bdac7a42.exe
5028	10be76fd5d5e9cbea101cf33bdac7a42.exe
4824	reg.exe
4824	reg.exe
4824	reg.exe
4824	reg.exe
2516	10be76fd5d5e9cbea101cf33bdac7a42.exe
2516	10be76fd5d5e9cbea101cf33bdac7a42.exe
2516	10be76fd5d5e9cbea101cf33bdac7a42.exe
2516	10be76fd5d5e9cbea101cf33bdac7a42.exe
4240	10be76fd5d5e9cbea101cf33bdac7a42.exe
4240	10be76fd5d5e9cbea101cf33bdac7a42.exe
4240	10be76fd5d5e9cbea101cf33bdac7a42.exe
4240	10be76fd5d5e9cbea101cf33bdac7a42.exe
2344	reg.exe
2344	reg.exe
2344	reg.exe
2344	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	SwwcsgIw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe
2392	SwwcsgIw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3140	3452	Process not Found	92
PID 3452 wrote to memory of 3140	3452	Process not Found	92
PID 3452 wrote to memory of 3140	3452	Process not Found	92
PID 3452 wrote to memory of 2392	3452	Process not Found	91
PID 3452 wrote to memory of 2392	3452	Process not Found	91
PID 3452 wrote to memory of 2392	3452	Process not Found	91
PID 3452 wrote to memory of 4200	3452	Process not Found	1133
PID 3452 wrote to memory of 4200	3452	Process not Found	1133
PID 3452 wrote to memory of 4200	3452	Process not Found	1133
PID 4200 wrote to memory of 3428	4200	cmd.exe	1290
PID 4200 wrote to memory of 3428	4200	cmd.exe	1290
PID 4200 wrote to memory of 3428	4200	cmd.exe	1290
PID 3452 wrote to memory of 4092	3452	Process not Found	1289
PID 3452 wrote to memory of 4092	3452	Process not Found	1289
PID 3452 wrote to memory of 4092	3452	Process not Found	1289
PID 3452 wrote to memory of 3556	3452	Process not Found	1288
PID 3452 wrote to memory of 3556	3452	Process not Found	1288
PID 3452 wrote to memory of 3556	3452	Process not Found	1288
PID 3452 wrote to memory of 4620	3452	Process not Found	99
PID 3452 wrote to memory of 4620	3452	Process not Found	99
PID 3452 wrote to memory of 4620	3452	Process not Found	99
PID 3428 wrote to memory of 4120	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1287
PID 3428 wrote to memory of 4120	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1287
PID 3428 wrote to memory of 4120	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1287
PID 4120 wrote to memory of 2520	4120	cmd.exe	100
PID 4120 wrote to memory of 2520	4120	cmd.exe	100
PID 4120 wrote to memory of 2520	4120	cmd.exe	100
PID 3428 wrote to memory of 364	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1285
PID 3428 wrote to memory of 364	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1285
PID 3428 wrote to memory of 364	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1285
PID 3428 wrote to memory of 2652	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1284
PID 3428 wrote to memory of 2652	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1284
PID 3428 wrote to memory of 2652	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1284
PID 3428 wrote to memory of 4800	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1283
PID 3428 wrote to memory of 4800	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1283
PID 3428 wrote to memory of 4800	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1283
PID 3428 wrote to memory of 2900	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1282
PID 3428 wrote to memory of 2900	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1282
PID 3428 wrote to memory of 2900	3428	10be76fd5d5e9cbea101cf33bdac7a42.exe	1282
PID 2900 wrote to memory of 4704	2900	cmd.exe	1221
PID 2900 wrote to memory of 4704	2900	cmd.exe	1221
PID 2900 wrote to memory of 4704	2900	cmd.exe	1221
PID 2520 wrote to memory of 3352	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1280
PID 2520 wrote to memory of 3352	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1280
PID 2520 wrote to memory of 3352	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1280
PID 3352 wrote to memory of 2020	3352	cmd.exe	1278
PID 3352 wrote to memory of 2020	3352	cmd.exe	1278
PID 3352 wrote to memory of 2020	3352	cmd.exe	1278
PID 2520 wrote to memory of 2220	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1277
PID 2520 wrote to memory of 2220	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1277
PID 2520 wrote to memory of 2220	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1277
PID 2520 wrote to memory of 5004	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1276
PID 2520 wrote to memory of 5004	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1276
PID 2520 wrote to memory of 5004	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1276
PID 2520 wrote to memory of 764	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1275
PID 2520 wrote to memory of 764	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1275
PID 2520 wrote to memory of 764	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1275
PID 2520 wrote to memory of 1736	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1274
PID 2520 wrote to memory of 1736	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1274
PID 2520 wrote to memory of 1736	2520	10be76fd5d5e9cbea101cf33bdac7a42.exe	1274
PID 1736 wrote to memory of 1064	1736	cmd.exe	1272
PID 1736 wrote to memory of 1064	1736	cmd.exe	1272
PID 1736 wrote to memory of 1064	1736	cmd.exe	1272
PID 2020 wrote to memory of 4344	2020	10be76fd5d5e9cbea101cf33bdac7a42.exe	1271

System policy modification 1 TTPs 50 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10be76fd5d5e9cbea101cf33bdac7a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
"C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe"
1⤵
PID:3452
- C:\ProgramData\iqwIEsoc\SwwcsgIw.exe
  "C:\ProgramData\iqwIEsoc\SwwcsgIw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2392
- C:\Users\Admin\cEwwIcMo\fogokUkM.exe
  "C:\Users\Admin\cEwwIcMo\fogokUkM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:3988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2892
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        5⤵
        
        PID:4428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4620

C:\ProgramData\LsosUwwo\CiEQQMwI.exe
C:\ProgramData\LsosUwwo\CiEQQMwI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3816

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCMkcgwU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious use of WriteProcessMemory
  PID:1736
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScoEUMck.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SesYgAoA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      Modifies registry key
      PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:3208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:4544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:376
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2708
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1684

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqEswwgI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:1364
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcogIsww.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1060
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqwIUQwE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3912
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:3996
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgooMAow.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2792
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4012

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4308
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:1412

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqYQwogE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:736
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:2208

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4152
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
      C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
      4⤵
      PID:5088
    - - C:\Users\Admin\nsoUAEAI\CSAYUwAw.exe
        
        "C:\Users\Admin\nsoUAEAI\CSAYUwAw.exe"
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 312
        6⤵
        Program crash
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIwEoMkM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOckUkMc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        6⤵
        
        PID:4708
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3176
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        5⤵
        
        PID:4136
    - - C:\ProgramData\iEAwQEMQ\ssIsIscw.exe
        
        "C:\ProgramData\iEAwQEMQ\ssIsIscw.exe"
        5⤵
        
        PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:876
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3368
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2220
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1704
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMIsQYss.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeccgoYI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwoAUgwM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        
        PID:4012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2284
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:4704
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    - Checks whether UAC is enabled
    - System policy modification
    PID:1764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2600
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKgYUwYA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:692
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Blocklisted process makes network request
    PID:2216

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:3176

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
      C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
      4⤵
      PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2816
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4824

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:3744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEYYoooU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:400

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3704
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1436

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veAIIQkY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4496
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQYQockM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:4000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3928
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqgcIgsE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:2500
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4428
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:1548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3144

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1848
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSwsUsog.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3196
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:4000
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqUUMMAg.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        6⤵
        
        PID:4748
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:528
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3948
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        7⤵
        
        PID:1748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqAgEUAs.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:3784
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4324
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        6⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        5⤵
        
        PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:4200
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buEIwAsc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyUwwUYY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:380
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:3344
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:4944

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqcQossg.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYYAQQwY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4136
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAYYYEoY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
        6⤵
        
        PID:4412
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3968
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        6⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
      C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
      4⤵
      PID:4336
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkggsEss.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        
        PID:5020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKAQkkgE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1456

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkMQwsYo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1152
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
      C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fawcMUwk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2772

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:4548
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUMIUwYk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3928
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3728
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkooAAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4236

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3428
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osYoAgAg.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1284
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:2800

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCEggEIE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:3448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4328
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOMwcQEc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQYcIoUU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1368
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4492

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4088
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2580

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4852

C:\ProgramData\EWMQYsUE\mkYAgsEk.exe
C:\ProgramData\EWMQYsUE\mkYAgsEk.exe
1⤵
PID:1764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 280
  2⤵
  - Program crash
  PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 372
1⤵
- Program crash
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1764 -ip 1764
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4388 -ip 4388
1⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIYUMIUk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3912
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:876
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:784

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiMUkYAA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeMcYEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3752
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4120
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:3556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWkEwMMo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmUEkgYo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:972
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PisEwgsA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:1432
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2216
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:3968
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwYgMgEs.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:2676
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSMgkMcI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyskUEsk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4484
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2708
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      Adds Run key to start application
      PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      Checks whether UAC is enabled
      System policy modification
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
      C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious behavior: EnumeratesProcesses
      PID:4240
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqQcQAwY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3428
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMMAcMcE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SisAoAQk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UacoMYgI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWUsAEEc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aikEsYks.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4236
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:2400

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3068 -ip 3068
1⤵
PID:3184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYEkUEgE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:2892
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAUcIcwc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1484
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaskwYcw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:4472
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:1748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWMIwIAc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1364
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    PID:3160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqMsYYQM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:2652
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCYcgEwY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uacQgkAU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:4380
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
    C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYsAccks.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKskYAsY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:4776
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2192
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3208
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4820
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiEYIQkw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEAMUQEk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEwYQQQU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaooYUEI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:4624
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqYcogkU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQwooIIM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2812
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4252
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4388
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1376
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      PID:4328
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:3784
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyAYwcIk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2616
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3880
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcwgAkgM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaggEgos.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3880
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMYkUgoE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3344
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3728
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUYYYMoI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCAoAcYE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:376
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
PID:680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMIggkIA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQAwgQII.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:3428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1292
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:1668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoUQwYcM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAocMccA.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:2652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2500
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4360
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3344
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:3400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duUgYAkY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:876
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3700
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWAcoAgg.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4088
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKccYsIo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQgYgcwg.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4800
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious use of WriteProcessMemory
      PID:4120
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMkMMooo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMkMYMUU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3968
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  PID:1636
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4120
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
- Modifies visibility of file extensions in Explorer
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUQkgIgI.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEUggwQc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4932
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1172

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYkgsgAE.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOUgUwAM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmgMowco.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:376
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgIAswgY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqEMgwgM.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSsoskok.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:4192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
        
        C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Modifies registry key
    PID:4552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3092
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4472
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1432
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQcQEswc.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
    3⤵
    PID:1292
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4340
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - UAC bypass
    PID:1828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
    3⤵
    PID:2116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aucMYEIw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1376
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Modifies visibility of file extensions in Explorer
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcUskAso.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:4880
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAEsAMAk.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSoUMUEo.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
  C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:4704
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2652
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2004

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
PID:4824
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWUAAsEU.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:1548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUgAsMEw.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RigAMEMY.bat" "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe""
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- UAC bypass
PID:380

C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42.exe
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42"
1⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LsosUwwo\CiEQQMwI.exe

Filesize
151KB

MD5
be58a70b1c9a837b91fd366e5977a020

SHA1
30b4696cb55234edd8b40078a9bbcfa7e240ca76

SHA256
3da7179552a1a406c9c306844b3e29f4dea9c6837cffa77e50a09b4cdef9bc13

SHA512
04035e343cc0c4b05a273f12c70d0405fbfba9e7ae6b71e2082cab7ed64b83b70abb63f74fc07e89b36e505208c602a7a973541d275e5f1fef2156c962f90412

Download Submit
C:\ProgramData\LsosUwwo\CiEQQMwI.exe

Filesize
146KB

MD5
f67f268315c2dc95ccb8b77c57573d78

SHA1
d966b0bf47c90aab359805fa60e9f262bea0e653

SHA256
1e66a91e9f944f598010f02b73cc20c31410b146249cd4d3455e03153c8cef45

SHA512
602c08501ffaba7c21780b45f0852c09b78ea4ed37ed4514fa1922ba2bc58a9f52f2587d02b028dbf8aff8bc6684596b94c221285f18680328d961de5a1ebbd6

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
875KB

MD5
92121e435e52f660d3d8b585a63a8890

SHA1
6e0c5335eb77e806c1d83c1f5e7ab8bd156e2a13

SHA256
3f34d615c308f551627d3f920a80764972b476f955fc0bd52ba53d096c0e5e8e

SHA512
cd057de37e721ebfe578706146ff39a0126219825c559edfbba8b04fc0b710eccf75809ad9addafba80f24feedac5f1f42f1e860a4d313ffabb9ddcf6be00fe0

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
41KB

MD5
5008c7bf730aa4d8ae4539ceb5b5b7e1

SHA1
eb922f07a58f028f5fc33d5e8efa52079364cfe6

SHA256
12dd7d8c12dea558291d8cffb0e6fd49c105d9981a5b572c0c3eac7ed8cc3c85

SHA512
d9b62b059378b98803d3432d161750ef90698ae79b296b6e9ff43db3cfcac34422bbad2ddc73f33dfa24fe82cac5c544485e997037054d8e5fc106cd35a9d70d

Download Submit
C:\ProgramData\iqwIEsoc\SwwcsgIw.exe

Filesize
141KB

MD5
06772a9f7679a43f7d4227dce3edce9d

SHA1
1177481ae0854d09c8c54c2375f7a034da130ecf

SHA256
f26f2a18e8bc52788eaaf385a16c15285035a550708875bc4e5315309d1cdad8

SHA512
4223521e356ff6c30bccf11a04d54b17a4f461d259506d92da630bab5c7071e5e700cec123f50a4b4e8518454ef1595ef3ac21c080c385fd323a8345872c0e88

Download Submit
C:\ProgramData\iqwIEsoc\SwwcsgIw.exe

Filesize
122KB

MD5
71f1a9cea8d0cb328f534e41e4762411

SHA1
7212189e3a0dc0bcf0034f7998c90cf6d0011c06

SHA256
d572f56be3df9fd0071dfaa4b1517252259d333a05eb3e533a3a7e0cdba0f232

SHA512
245b3c3d73c29518263664d87486a7d949eac1494c33627e41908ac319fc0721a23974beaa9255485a86eebefaabc9e2652061576b7a15cb4b6d9dc50e5abcbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

Filesize
435KB

MD5
f576fc68017b6247d032b52621951044

SHA1
a763259d3bbb2757495fc188cda62a8778c2864c

SHA256
7e757f97bb30c8722d24dfa97a50761b85324898e6e5ec6cde0acb1bc5f4c705

SHA512
03929049fe068f1c6837a063c0d908179da55f865106a893d930b54436edb31a1b3dc488843269211e9fa18e62149aec7bcdc4b2089d04e999762093e3702c92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
435KB

MD5
34af6773dbbcce4595423f3f1ad83693

SHA1
5249ae2a1d5c88ca785a3235bf4e7ec7ac7d5c56

SHA256
208ca0514daa6c9b623f554f3285c118973102048549120e4956a583e9d8777b

SHA512
118a39672f658fe27b66bdb6aa0c2cf1d84b1501bd20e2f840cf7477914dea391a65555947c0c6d99a18c4783b6a7c84f4ff10d7d3fe6a08ef8c6b3d78021ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
437KB

MD5
4a486514fa30709a8f497d9358e67364

SHA1
7187cd10e427a0a16135d3bec562b093b9c5dffb

SHA256
cddf74aed16d11d9e748a40e07015d91dc6908f9dc715c25f01ee52ea56fcfce

SHA512
9f2a86f7cc9cc626529795aff440d335580fd853998d5c6880a2a767e27224cba1dc504fc2f203a8633f073c5d855240453fe78ed870f33b335eb0d911971b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42

Filesize
48KB

MD5
35cbde129d22ad6080dc8fed0fd3e185

SHA1
e29871c61fe34d7159cf12daa543e1679f3ef63a

SHA256
eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265

SHA512
009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\10be76fd5d5e9cbea101cf33bdac7a42

Filesize
33KB

MD5
98be735e2d8c2398afba11ad1d45ce3e

SHA1
fac0a7c3e7d134e3e09afbd0d14a6ac3483215df

SHA256
83dc9a629e9127a03bcb558813c183fea8f7dca2338a93c29578b8acc1f7390f

SHA512
77fbf0494fce1d82ed2a2c49fdc810626afc696e0c70b0ad109df0f914c5f30c8babce22e119267b3fbe93c8c8ea283d464b00a4bdcba0a0b7b67a38e301ad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMsI.exe

Filesize
441KB

MD5
263ee8d44f4e16023c030b3655c24fdb

SHA1
3a870520a39a81ef19c8b2329d2468de6d08d7a6

SHA256
51592ea68ab99cd9d7ae1d2be2be35fc5c9673b7215c629688442ad6d88dbe4a

SHA512
d8211be4e3d5a4025ba6cf4db4567ead99e83936375e10b30bc719aad5da65ebb4b92b1be3b71b81601034a6f6bcde3a1e5b563e596f9665cc4e859ad2d1e61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgE.exe

Filesize
434KB

MD5
14c58de8e9a53f56ba5dc1b99adad491

SHA1
49a479240150f4294966945e5688c2dd7c408af9

SHA256
852a821572934eba7b87b88f178fd1b35474901d95b1df2a7aa39176c18de1f6

SHA512
a3e55324fe50651f7117fec6f9b3510db13fb9800efafb19ed1c623dc8ba1be099d2a4297834d1dd12195622840b38dc494fcb6357f00e23831981a26ab09070

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwYc.exe

Filesize
443KB

MD5
c97f867ef058dfdf3204658affebae57

SHA1
7bde3937eb17ff6105a92046234dfca30f788cc2

SHA256
7d2fca3abc8d566a77b7d6737ed27e967dfa562b2da08aa8ddb2b445e7187a87

SHA512
1fe2e97030d3c50d55b775657d4674b74119eb54565b0cc4da390746fc70330e60d9a7edddbb8d14742fa65036cad2b445ad9acb55a20cb6cc1e4cebcf452766

Download Submit
C:\Users\Admin\AppData\Local\Temp\EygA.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAgo.exe

Filesize
1KB

MD5
13da54a4e158225fde62dd482a4b33b0

SHA1
24a58954fdedb250baaf6a85475ad033df366261

SHA256
c6045a44fa097dcee1b5d031e2f6d9d315782d0f5a58657309fa119b30230cfc

SHA512
19ab6aa916b18d367759a714b7e9025a90c326b9352d4e3958a77dea36dd895480b66e9e479b038de1ecbae9890c0bf0e67baabc3bb38a667718fe5ae1a9e5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEUC.exe

Filesize
797KB

MD5
ba41b6337b288c4567adae300f54d1e5

SHA1
fa59db21659bfff32296710328554b386e6ea597

SHA256
ad8c351b4510f4fdfd8c3e7f45f2e4a7e5655128cd7c7eeff084a64fc8c7613e

SHA512
f316e45f7dcfdd31b131847ac1a33f9c2dcacaf55fd72558d66eac3817090557af7aa8d4d2cde0f63975213fc47c16dc6bee30bc9a8cd9d9615a6327e36d259e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIkW.exe

Filesize
438KB

MD5
379b647bf83a67c0316fb4bc361f3eec

SHA1
c66275f866c0ef18d7a785baf111013f0daa23f3

SHA256
50bd32749135a0848f2bf27606ee0682a0b7873a879222e659565b06216c8023

SHA512
7cdac5a57514e911e4a8e4be0b4cf69f1edf81deac15053af4c6bbbcc82390c467d2066532a12d8576fab6b1f157f7eb2aa59ff7a81eb991d9535abd605ced35

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYok.exe

Filesize
462KB

MD5
19417e879e4c1f72223a53de2c4e1d3a

SHA1
bffc4421413205bbd19f5ad2b1ae8357876c47fd

SHA256
6287c419848a88112be639fcb21a32bce6944222228ddc37b57b1fffac116f3e

SHA512
e8f84911f5380c17e9e99f4d992f87c4858c65a301a0128cfa13492ad20b43f0ea302e1f3ec802a31631c61193b6cf0b232af2c903bbac502a07a1eb143da20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgIW.exe

Filesize
434KB

MD5
b0ae3b7599328ef90a12ac4e2ee72792

SHA1
cb4afcfb1fb06712c825ed4d06140503ac2ca85d

SHA256
8b5d8c74c0a447001887af33b3696a02c711e13ac1b751952b9a4ee3e0ae5e9e

SHA512
321da23ee1698a61e9847dfa3af6366cfbbc89b659a76948ce5ba84ccf63a2c6ab539381d3dd6fffbc09fb751d182859b10a19c72f4a4a7d466246eb74244f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIUg.exe

Filesize
435KB

MD5
5651360c9e932fd8da07e3bba14c88bf

SHA1
ab8916ecbfe051e82228162e003936253d3e99fd

SHA256
60876ac5c5d507aaf0c3bfc96c2d4a5d1e97188f879767b9ad5fd918aafd396a

SHA512
de89e7207457a5bbea6d616280078a9f0216cee54b94d3159b55ddb00900522abd18ded67d2425708f0229cae436901d8ed5d8e665fdb23f9c86b860dca10f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IccW.exe

Filesize
80KB

MD5
add3c3a82f0aacef4a0613f119ed9245

SHA1
b416c8c4a85a70a5d5e4edb503f23300405de183

SHA256
41ccfb591588f124f8ad6a02ebebcca4346f199a16f32ea7eeb82636576e8983

SHA512
1cc4f8cf2b991d163d2988e9d88d6d95b16f17710fe168803ef97ae6deac83c33a3fe6e6ca26553c8672805f48e055bab09fb6af6e7649e08d4708dcd62c2f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIMU.exe

Filesize
437KB

MD5
7904894487c64d32570aed5844af7fee

SHA1
0129a8d25f8a2544a5ebe4a467b5d775291519de

SHA256
b122cdf6e582fe626c969bc12a0ea48c8514d29ee9db59bc6bf420531813a8c1

SHA512
b36436d2c1f6890c565748e6a889539d14248252205485c550d53abfe9718cacf3fd6777cca0ee50f8ff96a4b8100801d1f16865b244629d144640906976fcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYi.exe

Filesize
441KB

MD5
6e933df7043bca4185866b39057429d3

SHA1
884f86f8026db1992f7328f199032869c8fb3dc9

SHA256
99f66cd2cd28fb5d8e89eb7471ed3ff7eb84c50ccfc7916447d07a569c5826a2

SHA512
f28273c222577340f150c741e5ab53215619f4c9cb62761f6017fc0c94c074dc0878adf98e07f3d832c7a054cbe9e95175bf528acf3b53dea41f96aa2a459005

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgwi.exe

Filesize
55KB

MD5
5f34450f1acad08160461c968113faa4

SHA1
dc4f494850ac4822f1622c82db0ee03a752f3c82

SHA256
adfccc1edad210af431bde8f6bf610cc77f83ffa8504569636a053b88e98cac9

SHA512
d5e08682e329b7f9b182978c39f3ad65c0fd88b8e3f012b01d20a84198b116fe212d27dd84b1b98c70c9108c1363ba0e89137d514e9cec74da76780e143fe5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kosm.exe

Filesize
455KB

MD5
f2025a954f235d2f5283ce7d0b14e702

SHA1
81c54a60c81e60353db6f8f8be2b620141b9e6c1

SHA256
4611507c194a891afe22c832d3213d256510667afe6f03079e4b2d1d51b66d58

SHA512
85d5814d59c2b89a87ffd3e74a8f4405912e6d30d4536b31718cd5e3147c2557b88f319c61f6e89b3f59fb18e6fde431c7bc6bf464d963351fe5b7ff356e0a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\KscA.exe

Filesize
438KB

MD5
f03aebd835422d542020a2cf166fd0ac

SHA1
b092895e8ae4dbd57529436e193773989edef98a

SHA256
f1589c24473867867cb564299d5c62927e02ea75edbb990803d4bc02e2d8e923

SHA512
14f737dfe9e6681a82a55166f794b0ef4d25f24adb3b432e173848f7f9a249edcc48ea73d0c0c692ce84e23423eb8dc98a3ac4de230c683fdbeb1b044b173180

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgYu.exe

Filesize
62KB

MD5
59edcd43394ce4cc9be358d0c361ab63

SHA1
3c32c6e5eac002b2fd9f3e196ff3177337e4a8ad

SHA256
a2fa016ba4f7bc35a9443d2a6867fff012184583f42a3baf0a52d0e588b6ede7

SHA512
6474c4506263d5740c9807ce3cba17e120af07dc2768e659f613083abece397b5fb4337f7aedcb5088b087e0ce1bfcb42a726a2bf505ec777bae6f77ed7204e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQAa.exe

Filesize
1.0MB

MD5
4a38ff2502f8ab458119d40947fc143e

SHA1
3afb403cc29587139dbbff7b43762dc2ee4ded82

SHA256
e28f46a32dce8fe5c0bb334f0d7c2be941227928857c938773a36b8fa83e2c76

SHA512
eacefb4d066e0434e98fe765bbba25a025f1fdec942266fdda3ff03dc21b983bc346915200620bc4d52b17190e08f3ff6243c1fdf990102ec7f5a9e0e85fdfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCMkcgwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQsK.exe

Filesize
888KB

MD5
8f2f75bec38701e4a761a48abe367c54

SHA1
81a74fb10336691532136fa013ff3fe1e3db8636

SHA256
18a1d60ed61ff8a5b8cefe8c553b0de93294f5040429d1e4b72bc7d143d23974

SHA512
3f4c0429f8d42795d44d8fa8398a995a94a0e5e5ea8ae093dc25faac834b8bfc967fd20519078bf134524165020418ce5e60b9abc6fb1dcf6135a4c2d26a9daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEEa.exe

Filesize
45KB

MD5
142183f388f8607eeb07411f222e7776

SHA1
489f0bf3ef8d4c730bfc33823d4ee4b2e396840a

SHA256
c37ad2685cd7c4623cae4aac1b1c7348d0fbb284c4e37113182109a98e280b7b

SHA512
ee0b83f3feb853487bd5130d718ffb5d2cc3cabf3a153b0407d42d9e165129cf2313db568f9aaa7b4e97e0afb6dab33f466728a00f95f7fc3cd0802770c749a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEIA.exe

Filesize
51KB

MD5
cac554c6828acbf8e7557159a9bf338e

SHA1
edbb95f739687b60845f4a347184dd7a787fe4b5

SHA256
c640a06a57cfece2b3a2bf995de2c554e1db6bbee71107594fc90cec4be067ee

SHA512
c29050a8385d2b81369bd4679a554aee7c7e353b6e7dd66979acb124eac8df4dd3dbaa37d5f62539ab470d711af5aa4a545bb21c0b2eded60d380b95600bc2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMIO.exe

Filesize
445KB

MD5
add43c2f3328c6754860f8d18f530f20

SHA1
137d4776842c20b79cfc06c77d10702733c1fd98

SHA256
ca57d1410c5cf8946bf87626dac2c53aaba9127412593dfd9508969af651969d

SHA512
ebe9755dbacc874c54fd5d55186da4a1ed99b357167d002e158846969533ad48fb5c7468f4d5b5f74cedda061b2b866ce3a95a5017821cba6e665e15b257efac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgks.exe

Filesize
1023KB

MD5
05daf74497bc4c135361a7cd1f7fcef3

SHA1
5520577b30aecf0cc53048398d6c826ec28a419e

SHA256
c75509634212e531c4982d5988571ecd7bb4df44c886a0003cc9274ecd0e29fe

SHA512
781a46a67a1fc3d195f0ac81aeed3615fedcba99d7447a7424f0a7b876fd70a9793bebf4658f51f079ae0ad990b924fed8e1764f71352bbbfcf9c34d83dafbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUsW.exe

Filesize
810KB

MD5
715702e2dc0a5cf18f9aeb9e76964c92

SHA1
aa7c2ff85add4162bc0b7b6ae44f6b898634f090

SHA256
1d51ca7228f2af34adff3b1639029b1b08acd743d904de8f7934e389f1cd636e

SHA512
ffb8c3c3d323d06767ad27b534a167cefc1640257b7bbd0af30eec196e51fcb8d8215de3a0d87398d6e91fda4df2c2e088f5e4bd202af398abc5e32568834940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usgy.exe

Filesize
58KB

MD5
2221a7bb9e8effe4ef1c71656b06d482

SHA1
1459152b9c5c0e9377626df41bd7a563b2304483

SHA256
fcf072a8e485c8f630f794b9372033ce03a6b1b78d80af9f2844ca53a041d6c9

SHA512
18a639c21290f2b6a3d9bb5bba6a63db5332abd3e6979f1227203719d9259642e09021dede38319becd6b1dc9491c0f12d5319aa138294c52fbe13f747dd2806

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgok.exe

Filesize
433KB

MD5
b902b5169b4a2bcf04a568f90bee0627

SHA1
d7de4a42c2385e05d99d76a710414b27aead4081

SHA256
1d66be68ef2c07ff73e6e59565be5f746e627e46da15461c3c1f8abda3f74b86

SHA512
793f3c4a56e89c249ee6b2223c6b1c6019d68cda4ba3f7c1fa4850898fb9f0b5b4cbcaa9635a6ad7cfc7615b7e00e833600eaa18052c630aae9a9fbbc64e4b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIa.exe

Filesize
33KB

MD5
2981b87aa374d1b740cfe372d888fed1

SHA1
87502ab51f4f1433424c8caad110cf7c2b5337bd

SHA256
d8df2aef2da1b1d4775b80fbeefc8d4fa584b51a993b02be3557052f5eefc7df

SHA512
3c27ddefae9bc7dfb7d2e7f9ec2c3ea63f8d5cfb6cfd38c5271f2479f7f0ec3bcf93f09f77eb99bb3995ea3af12473d3b90ad9a6f1411629fabf1b64bc15f03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQAY.exe

Filesize
472KB

MD5
ed06e9f3c7c8e57adf79e267a730dc36

SHA1
4585ce5a766416e7a530a9a54b8eb2d221b37a83

SHA256
f00dd2659a7e5fbf7eb7fc26eb5e72653422ed33e1be01cb2e42691ab162f72f

SHA512
85546808ccd827c47654d34cace8d3af27d290de029b0d631ebedb482d399530e00c8b9740b9e9047d0e022c495614fd8311f307e60e7973b2aa1a4dbae3e041

Download Submit
C:\Users\Admin\AppData\Local\Temp\awca.exe

Filesize
446KB

MD5
8bd4bf0be0cd7a1b10cc654468d0686e

SHA1
d56fce86be2f9c085e1de70a2fa3544ba90797ff

SHA256
d3166e4de8c81fe77b16aea5f72dd5e7ab59a418aed535491ebb03fb5863200e

SHA512
e2e412f6136fa076ec3c1c491d0bdc66a8f7ea60b52601bdd1322892e9809fa9699480b0e3faff0af6c39f89d6d814de64bdcb9d901937a26d786c2b83974e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\csQk.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\csQy.exe

Filesize
106KB

MD5
586afca18f1bf265e2fa59fa1195ebb6

SHA1
ea0e87b40a75a1dd60d58070e570ed4cd4f6cdfe

SHA256
d7c80f7c8b7f35478e14350899a924fd7e2d970c2ce42a394518d209d8f0cfe9

SHA512
8f0883c189190531ea146403b1086bb87a5a7da70e26761b48da65fd0d66428a5850d7486d6f5113d2a0baf632fd8460f3dbeb372bd8125cc265a8a89506d89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAIq.exe

Filesize
887KB

MD5
242bb0a715456d993b2ab769452cd24b

SHA1
c0d2bca7f57e0cd0529aee969aa5f1c5f1accd2e

SHA256
bf8f0069aadda20493ddc02767a62aa7f25109de1acd3b069eb752b5fd4af35f

SHA512
bea087cfe1a671b3c78701e8a1dcd81542a33badab99911e3f7cc7317f697c7662e763924ba7375bdf760e160ab1ef8138b7f36fca51dfeca6964bda242b10c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEMs.exe

Filesize
21KB

MD5
4630740d43bc1d3fd562cf5e148bdb10

SHA1
09a89efb7a7f0f43f104f76c2ab9a3c91e896baf

SHA256
e75a75140f23370e944086ce7f77037258762ca46e0276ab89cb9e4a3bc9c232

SHA512
cee0a2a970c40b67d27f18b8216405760714a44746f3d906268e91435d52826de101a0dce8878ba2d0224e1756557b084acf403c2a4e2a4111af8cddff0f243c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIAW.exe

Filesize
7KB

MD5
a1cc847de67744330e03e6b31f49f737

SHA1
b36e3ac87189ef5627ac8fbc22742368b49b8ff5

SHA256
7f746a9b1776e217d43bb2c86a68741a0ae4618a90547f94d9208766b4cbbbb3

SHA512
35fb832c409ce19db3ca9b77beb6782e49b736d5aed99eef8cf64910ea42c864f8fbfad233b07c755500b6e3a43ff07d9fed261d1e236879c9ff9261a45626bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUq.exe

Filesize
62KB

MD5
b8d322d238402d813e70c884507360d7

SHA1
a23900e55ab0bcfc4167fc727882e2c68c247e8d

SHA256
7b5d66412a3894ccba25078937d791a65823e883b537860ec8bac5eae90ac15b

SHA512
a34a49556ecc6fd43a37432f22c8a7cbc6c02e574fd4acc3463067643b8b053c7778ab38b12dad35292dcd6e491e4300261c82f17cd1d9e7069a9b599ca1b0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eocI.exe

Filesize
17KB

MD5
e31f6ffd051a2906e91bf9e76b949f16

SHA1
c27f7f0b39def5a2c89d9d1a215db9e3811e78fa

SHA256
0a3d291fb1b3c7acc1649d64e206173d164abe31a4996f7ffe2c96292b8f304b

SHA512
f26ad11765b3fb7f18d8657223ab76885135ee81bcaf345eb816d17568b2b1060df63b30f3c1190e41e374483c38689861846a6b68c8f624630b80e7040c8e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\escM.exe

Filesize
438KB

MD5
c41c9a48b6a2cfeacc7cf23dd71c2ed8

SHA1
81abba9118141fe2a050fd0f6078062cc0ce28d9

SHA256
4d5d22aeabb303ed92bea52c47c5634df2360463e7d3d72565c0d9e68d815d1d

SHA512
d16e6f84f0401afc106a0bebdcf395b0b7d84583502d7ca1297dc802a8f01305a9dd912554b35313785128351ef4136516e3ff042ba3d8ca1e9e8c77081c8368

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUm.exe

Filesize
2KB

MD5
d8d298ebacdb4d02588c059c85b17bca

SHA1
512f2df81276d413afb4c41eff2e64582036d690

SHA256
2f58f5e712bbb307836ba96817a9cc6f9bde9be91177b3cdc8e3408ed8f4dee5

SHA512
595520337e6429c6c33675fa80a2c3f339e1ee37bd4a22c96ff263ae228b7c913a058905133be9733fbd6f9cba708d01afc960330141b79bbfb840730da8f82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\guUI.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMUq.exe

Filesize
440KB

MD5
a4dd096d357c30effc6c037d0b6467da

SHA1
5e157b8bd3bc54fa1567a1df3eac6f9894649f5b

SHA256
9abbe2abb13d026a3b44d6f2203680841c144c67e0f9128303e5e445dd6abc8f

SHA512
dd708080843d215e4ec871e928fab1818d459d27c452b7238f880e78736f414987fcdde9faf2b927ff0917fa6a24f3871b80aec78db9c639a10b7e4ff22af89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQAe.exe

Filesize
443KB

MD5
08839998b69cd71c297ed6db0dd3d8f5

SHA1
8d949c1c7f1b9870171cba17d0ce2e55c63b1eb5

SHA256
1e888f6f9683b72172dac9dcfa4a6ef8271229f2e48e20fb02e07ab45b462d53

SHA512
dd24705f752d6da092d5dddda6a76d3f560947764210f9e12af8ff68980fae113561e94e74625c746656f6ac0fd125a4722c0fb8ce611e0cbee2ac77f8495d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\igoW.exe

Filesize
46KB

MD5
b00795d38f565e733479b169768356ad

SHA1
955451d256b6b442e043faad8525a3d9fb9285e9

SHA256
3be108ceac45ec62a9b03c529122b023a5d815378814dcc95eff764f949d90e4

SHA512
5ff5491512cb6bcc932556dba3707976fd3bdd893b27bfdf0d4f51d9cec44a44e434c50da59e0011745f7f272a14754ee8bf8f666c4e4849b85b067e9e46c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEMO.exe

Filesize
1.0MB

MD5
10f3a7f84c6bb0c4eb94c49771db2d09

SHA1
9dacf46703de94dac5bf86cf2f92d85be86fd63b

SHA256
ad209a9aca0a774878acc8d347860a05922ad64adff7fa70e3ca6ec121cb2624

SHA512
1b1975086e49cfc3c54fdce29559c4d9ed4c28dfab28be68dff37519a9565567394749ec154ef4239f8c1fed01c38790d7bbeb3fff6faa0bbe135d5ba6ca1d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEgU.exe

Filesize
879KB

MD5
eaf6e9a1df799dbcbe09a2bca8a3a090

SHA1
86cfed714b5193749b77d217bb06bd03ff605eb7

SHA256
5c2a5963fac149ecac6a41b1df9011092d32dac49c20df6f864b99f8dbd33895

SHA512
db78c7a4d1290e0f179e8c7263b4b80eb58e2ab4e1fa2812d1e730e98b1f2271664e773e7e997a033e9a16da559b86d14c0c4a9da663e4385aee7b1ba4238459

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMa.exe

Filesize
46KB

MD5
6769fe1dd6ffc2ab5db1f7b47ecad7ec

SHA1
4ef55c91fb6d83aeba409e8778ee0fd4c61af3df

SHA256
bbd48489647cf4c39fbaad9be6597126760c288073c6bfad37e691466b643bca

SHA512
d7fd32b5d6ac1036a0122fd657121e890e2b08e2ae2ce9e343db1b247591c0553bb28139b233f4a0f5b25992c99bb79da58bafdf30fc475b0e0341f164eaa6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAQk.exe

Filesize
666KB

MD5
a6acb7ac6f2e2cdf2ffe3f73add3ec78

SHA1
59bfe5d5d82dab781f7eb432fff225ce79970cdd

SHA256
ff127b41b5fca9cfa8fb83929662b71fcf9466911b6d335450a6d8f0e782acb7

SHA512
31638bbbedfa61c75ce82db479626e3ac1f38b71e6d8c10cbbcdc915cb997bddfb966873ecd011ed06e7bc173ab939215aaa89d6f0540ee752eb0167b8570024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcY.exe

Filesize
438KB

MD5
f1f10a518b5914c074bbd29df6035106

SHA1
63a40d94b5d4aa88c4cddfdbd2840bea760819be

SHA256
df9e3cf678d28b3219c68167c57295ae547526747df67fac545b495ed7d5c76c

SHA512
fd4ac1727e542ecdf103f10544b7c43353e7a7b446988cd327296ddb05693ed3403f12487d3d8408ecc4af62735c58add89db49dcc91525f513314993ee7a569

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUK.exe

Filesize
441KB

MD5
bcafbfbfe28a07add9678dc44b518752

SHA1
78c9625e20641983c2284030434d5f9cdc83e310

SHA256
3392a2977a689093fdefa5b36a71c7e99a789245f3e3892680b6ae725578faeb

SHA512
3d8759d172b4129af6a5393fdc4c738d2961cf178739a77cdaa4fad781dc63bcc9a8855261a71ead7e56d4eac76da003921dbb965b94c52ebb128879af5ee3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUss.exe

Filesize
1.0MB

MD5
2726b0f198f1c896dc54e42f2a4b3a85

SHA1
455f1cecb8829be6295949e2a9f33d324ff8af73

SHA256
fd4cff109a84dce5cb32bb54c94861657b33ac232eeb9abe5e9e8717aca87dee

SHA512
9c59bce26ed433e50aac86677e3c64a7365ad66f466c987e018948f36c52a843294eb96a909c4897e23651dbc7e579a1a71c440f095a5d3dc24b83a656f6e4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\occE.exe

Filesize
442KB

MD5
a2bc77212192ef877519632a6b995e88

SHA1
1e76464dc41b826fbfb9a165b195b2190bd7f425

SHA256
a1dc7cd19675c822daae61d3ce9c43cd2dcd1245fd69d61fd6f9fe1b81002bac

SHA512
cf7e9e13e0a15011dd9cbe7127e820913b74b5aa36a979000e0beb1dca3a74ea2e8a5947b48a0d0499346f51327b1f6cc3cb9b07f94353e0cc8ccc8f0e39e712

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQu.exe

Filesize
461KB

MD5
87f765440f8a782e511316a2294d80b2

SHA1
0112576eea3da57958b647c5340cdcb743143be0

SHA256
638119da298270d4168aacdc87167a7f859360d4778c33efba45f79bc7d540dc

SHA512
a99c6e9018e1ee035dc36584e43e5f306b8ebd9f0d6d428bad662e85ee6564f85a276f173d7c611ea9cd1cb5e80c3456a5f1812e520bf6b061830201e561f5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsi.exe

Filesize
110KB

MD5
628db35bc09d66bc761b5122b7a2ae92

SHA1
f4eebc4bc370ccf74c08be1d07a019d835bfabb8

SHA256
d66c4515da9b6a17e311ec09ffe10f7c2e45bf9b31702efef2c97ef27a52a854

SHA512
3ff688e94abb4264925b67dd55437e89f7398829d9dd6be21a61522fa4085451d5b978d5fae99b8c262379e6ec1fa7a1d3daaa66efa1c35b83eaf978e63210f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUAM.exe

Filesize
442KB

MD5
12e257e73d847b3edd858551661c21bc

SHA1
65ea3e4e9897e4100fcee72a68fca3ea4b4c6392

SHA256
d4efcd9804b31214e37a5e8f61e2a19593bf786fa0ebfb3bf3c6f116a219082a

SHA512
2197d00ada8d9a571f161cc3450f516cdbaf1f50608a70a5ec5e126f43484734c706fd5ff159ed8030cbd5ac7ba7fc3b3dc738215f4d0cf83f4881f3e95a1f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYQi.exe

Filesize
435KB

MD5
837f20a64d071a249049334b89a2439d

SHA1
b0d1ab059b9c1f00a9e0e02fcaabf26de89042a0

SHA256
76856d26f671dd672dcc66df64283abdb1919f08db6b5625e39e5d60f18f9e82

SHA512
068405b10f9e77b064769b8563cd670b213e8050e1197b35cee95b9c6482bfe5cf7303a2efe0f768fed3f79a6ef88dc05788225c1685f79b8adc5b847e32aa09

Download Submit
C:\Users\Admin\AppData\Local\Temp\sook.exe

Filesize
447KB

MD5
46733a31d4179ad026845541a46234d1

SHA1
66fb48af89fe90b858eb79459bdf6be8b22bce2a

SHA256
3b0ccb9b3819e93e1c31e0b1d99bc805ed84b903003f32b24ed42e5685cf5def

SHA512
65ddb86b9344008502874ff605a5eb337287104f6623077888556f85b55e5748f2f48579f9aa31fc8bb867722b859b40c0b5f83da77ec827c647c33624bb5603

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEi.exe

Filesize
10KB

MD5
a77333d25274aee42364a9f502ed5bce

SHA1
22f701c7a0b0aab996cc7afa85d5a6e505f5e833

SHA256
ee5c6c30cab6aafb3bd6d9994379b4dfef51a57f42dadcfb91258cdfb965ed5c

SHA512
7a40df2326390bc1561c74605712ea94c6642f1de510955ebab2c410aa15fc2c5394e614835e9b4c0b42385d93838bb77f306f5a5b74972fc86e6f32e711ccad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMg.exe

Filesize
439KB

MD5
aeb566d662bfcb34f3ed2dbf9c3c1cf3

SHA1
ba757553a216f48803d036e944cde4567165e90d

SHA256
91bf3f78e263416e25da12dd86ac83efd2950c936eb2ae7e80e99f805f1d219c

SHA512
6b79b07c4611ffb1096adba4e9b82e142bb0f3be9d0828d330d798a68e1befb8b82b3650f8f511463f2540919fc8d388d370315cd0b72f2938e9445aa3b21158

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgQw.exe

Filesize
444KB

MD5
5b864eaf109d22c6c60b98577f0fa66b

SHA1
624ad21e09f075b19db3b06dcf7ba6575fa930c0

SHA256
0119b5034dbf82582460c53b0d22b29ff10228ed9346fa2387bf9ad2df3322b5

SHA512
5928218265383a3dbd4b2ef960574ce67553424e42c3ae03b3d246c135a88bc6322f3d36705419f05b3694ab559af3772f7262107bf659e19a5e77c4e0719a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkQC.exe

Filesize
560KB

MD5
f7477e4ff12ed9d5f658ff0002226265

SHA1
427810b58326eb3c4fad80fff2c0a1871f84471d

SHA256
794f31f497de0acfefea8a99764b69f28a7ec9d39a1bca22aaaab96597c02461

SHA512
427f9b1f01c4852fa1082234281ea8eb07bcb5fca448769886aeb4a14423e15449cebfc1abea844570f83b47d298fb7e1dd85a2bc9b80f1a9bb689e6a6c42169

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwMy.exe

Filesize
62KB

MD5
cd4f80fa5cae04a79514014ca524a17c

SHA1
a4b99e0f74b9f1ebb45ba0e78379a89c7c52aaf8

SHA256
64f8cd49e2a10e9378f159807fdacee7ae23f024ef3071a6367906c2d918f260

SHA512
7967b5707c7c4dd226edc5fdca71b95a6dca542b81ef0b178d1a7f583d2bb4411fc93c87ae27e6f8088be0978f8d0f8a8fe8bf3c81b16254bec4278146fbe530

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEQG.exe

Filesize
37KB

MD5
69400d11807e6ee7a6eb606de407ced2

SHA1
91746bf2c62e4b84fe7c56ca0d743ffac93d3c5f

SHA256
c2bf03ee250e50640ae74dd2628811c004fa3712c64d3666160c6760b3b6ad35

SHA512
2dbe47fad28a1fc3a7501edf042abd2091112e0a24af6cd56e45a5b71db2c737f16b079144dfc00aacd416c55817f39510d2304c37d700b13c7ae029e006aa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQcO.exe

Filesize
68KB

MD5
810c15b154a942a9e2bf0708730a2e60

SHA1
1ef2d89732105f30e92267ad6dafe672e7cb6900

SHA256
9ef7dfce9a5dfcdd45b6dfbc84ddfa7785bcf6d76525fc93ce456de1e5137fa7

SHA512
339bca31392d0a902f11dc17418ab7df28e4ed48af6275b623ebb3b6c0494b0904ace72d07c98f9983deb55956d9226a69a0472430775ff65548233d7d0bd05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQoU.exe

Filesize
476KB

MD5
08470664ae806b6a29afa796e0bd74fd

SHA1
6ee4810f11a2bb2a014b4200e48a3f58727b2a98

SHA256
be6f1aa8596816257c85fb4d34c4c30a5e2cfaca30e4d2ebd6600f059ed107b0

SHA512
8902c82f00c6813635d43ebacac431b8bb4f6e3ce66e41b01bb85a069a775ac8bad70a5e434799ad0bd3d137b6f5bbb25e90498d36bcd947ef212d8800616629

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUQm.exe

Filesize
444KB

MD5
e16cfa8ca12aaa0ceb34205bdb45438f

SHA1
bb1124f78845746ce9c9a2f622475d03a1dbfc79

SHA256
07c45c6102db75f4fd1c42fc9955a06accf0dd99c9d5c8c74b585afdf492ddfe

SHA512
5bc18c1aadd9d503cc74b949270e7f3b78ac4694f4fb523cd75fa42711ff491614c7eb41a4cd547b15363affc60c41ae894d2417d50289b4d33f3142fa983e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYUw.exe

Filesize
451KB

MD5
be33761196cf1e16dc547c33a366f58c

SHA1
be62e3d4d5bb607c5257b223d46548ffd43912bd

SHA256
97b3974688559fc8e52b8114f361cc7caf687ce3e0116dff0902eb43591f9ca1

SHA512
61f9be057874100ca1e4a61feec58194cbcd690c7165d33e9e65fae7fe544fa47e6a199b884f118623cc15046aeed926c704972b4021b8569c48fb50b866a7a8

Download Submit
C:\Users\Admin\cEwwIcMo\fogokUkM.exe

Filesize
272KB

MD5
4815c2e1d42a4ce1d15b11e02f32229b

SHA1
73bcd82f32ef442cc666a0de67347c113614f61b

SHA256
7260893853b23ae0ab1e6c083a89d1d79cba02893289486208b5c28c26f3f4b8

SHA512
9d832ed1dc44894f7077228f6769aa44850fedd3e8fb83bfde3ec1ad7cdb458cd784cf93d752a237204d9314342483ef05ea3c529c1598c6c18bd426797274b4

Download Submit
C:\Users\Admin\cEwwIcMo\fogokUkM.exe

Filesize
197KB

MD5
fa57d585c8f333eb880c44290ba2c94e

SHA1
ae210eb57e7df57b532ccc2797b2a502c747c9d3

SHA256
6579cc37976bbde4419b35eec4004cee1c5be45123c7b8bc8eaf4f7527a963f9

SHA512
4272b409751d36afa98f0d33d385ac4a3410704b688ff1d5a26d885c9f6453c7fdf67849a9c2ac8d1accb22baf047a20f92f287fdce196468003b80c27692941

Download Submit
memory/736-560-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/736-440-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/740-105-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/740-91-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/764-257-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/764-241-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1596-221-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1596-199-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1828-272-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1828-285-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2020-39-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2020-55-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2208-397-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2208-331-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2344-187-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2344-203-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2392-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2392-111-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2516-179-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2516-164-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2520-43-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2520-27-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2560-614-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2560-546-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2812-131-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2812-112-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2816-116-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2816-104-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3068-80-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3068-63-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3140-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3140-101-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3364-217-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3364-233-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3428-31-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3428-21-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3452-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3452-208-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3452-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3816-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3816-127-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3940-332-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3940-290-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4012-668-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4024-229-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4024-245-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4192-76-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4192-92-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4240-178-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4240-191-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4336-294-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4336-281-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4348-253-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4348-267-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4668-276-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4668-263-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4704-142-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4704-130-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4824-151-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4824-167-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4924-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4924-51-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5028-155-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5028-143-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download