59f828a2ac3c9211c1f4108053106b4747fd0f5beec37480ac500beb1f213c62

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b33dcdde306525f9dd0bce6b1b88dd.exe
Size

484KB
MD5

17b33dcdde306525f9dd0bce6b1b88dd
SHA1

d26781a26a1fd95cd6f59b4a1da7983062175695
SHA256

59f828a2ac3c9211c1f4108053106b4747fd0f5beec37480ac500beb1f213c62
SHA512

cb9374d93f274aa6eac44b7243473e0791ff942776aae5fcd4aa6aea6ba1b1ca1b0a3724ade7c0619ce191c79da975e558b3f1077b38afcbbc0ee583e73f7462
SSDEEP

12288:twZYOWYidkkN4mSDGHfL+ewv3dkZ54Med6rjNJ:yYOWF3GAwdkZbU6nNJ

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	LYskoEIo.exe

Executes dropped EXE 3 IoCs

pid	Process
4624	LYskoEIo.exe
4080	JIEAoQss.exe
1308	usYcQYww.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYskoEIo.exe = "C:\\Users\\Admin\\tAIMQEYU\\LYskoEIo.exe"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIEAoQss.exe = "C:\\ProgramData\\kOAggckI\\JIEAoQss.exe"	Conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYskoEIo.exe = "C:\\Users\\Admin\\tAIMQEYU\\LYskoEIo.exe"	LYskoEIo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIEAoQss.exe = "C:\\ProgramData\\kOAggckI\\JIEAoQss.exe"	usYcQYww.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIEAoQss.exe = "C:\\ProgramData\\kOAggckI\\JIEAoQss.exe"	JIEAoQss.exe

Checks whether UAC is enabled 1 TTPs 40 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17b33dcdde306525f9dd0bce6b1b88dd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheShowDismount.gif	LYskoEIo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\tAIMQEYU	usYcQYww.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\tAIMQEYU\LYskoEIo	usYcQYww.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	LYskoEIo.exe
File opened for modification	C:\Windows\SysWOW64\sheGetUnlock.docm	LYskoEIo.exe
File opened for modification	C:\Windows\SysWOW64\sheGroupSend.mp3	LYskoEIo.exe
File opened for modification	C:\Windows\SysWOW64\sheRevokeRequest.xls	LYskoEIo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5000	reg.exe
1160	reg.exe
1316	reg.exe
1580	reg.exe
1176	reg.exe
4028	reg.exe
4052	reg.exe
1972	reg.exe
2284	reg.exe
3124	reg.exe
3824	reg.exe
1424	reg.exe
2508	reg.exe
1608	reg.exe
4268	reg.exe
4316	reg.exe
4264	reg.exe
4596	reg.exe
1492	reg.exe
1420	reg.exe
2160	reg.exe
4840	reg.exe
3504	reg.exe
2992	reg.exe
1912	reg.exe
4380	reg.exe
3540	reg.exe
4656	reg.exe
5000	reg.exe
2916	reg.exe
2148	reg.exe
3204	reg.exe
3200	reg.exe
3972	reg.exe
2296	reg.exe
4444	reg.exe
2284	reg.exe
452	reg.exe
1492	reg.exe
4384	reg.exe
1732	reg.exe
2356	reg.exe
2040	reg.exe
3616	reg.exe
744	reg.exe
2252	reg.exe
4400	reg.exe
964	reg.exe
4616	reg.exe
1436	reg.exe
3272	reg.exe
2544	reg.exe
4940	reg.exe
4984	reg.exe
1312	reg.exe
1176	reg.exe
4684	reg.exe
1100	reg.exe
1304	reg.exe
4916	reg.exe
640	reg.exe
1700	reg.exe
2072	reg.exe
3000	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	17b33dcdde306525f9dd0bce6b1b88dd.exe
4536	17b33dcdde306525f9dd0bce6b1b88dd.exe
4536	17b33dcdde306525f9dd0bce6b1b88dd.exe
4536	17b33dcdde306525f9dd0bce6b1b88dd.exe
2992	17b33dcdde306525f9dd0bce6b1b88dd.exe
2992	17b33dcdde306525f9dd0bce6b1b88dd.exe
2992	17b33dcdde306525f9dd0bce6b1b88dd.exe
2992	17b33dcdde306525f9dd0bce6b1b88dd.exe
3520	17b33dcdde306525f9dd0bce6b1b88dd.exe
3520	17b33dcdde306525f9dd0bce6b1b88dd.exe
3520	17b33dcdde306525f9dd0bce6b1b88dd.exe
3520	17b33dcdde306525f9dd0bce6b1b88dd.exe
2408	reg.exe
2408	reg.exe
2408	reg.exe
2408	reg.exe
228	17b33dcdde306525f9dd0bce6b1b88dd.exe
228	17b33dcdde306525f9dd0bce6b1b88dd.exe
228	17b33dcdde306525f9dd0bce6b1b88dd.exe
228	17b33dcdde306525f9dd0bce6b1b88dd.exe
1072	17b33dcdde306525f9dd0bce6b1b88dd.exe
1072	17b33dcdde306525f9dd0bce6b1b88dd.exe
1072	17b33dcdde306525f9dd0bce6b1b88dd.exe
1072	17b33dcdde306525f9dd0bce6b1b88dd.exe
3020	Conhost.exe
3020	Conhost.exe
3020	Conhost.exe
3020	Conhost.exe
4784	Conhost.exe
4784	Conhost.exe
4784	Conhost.exe
4784	Conhost.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
3252	cmd.exe
3252	cmd.exe
3252	cmd.exe
3252	cmd.exe
224	17b33dcdde306525f9dd0bce6b1b88dd.exe
224	17b33dcdde306525f9dd0bce6b1b88dd.exe
224	17b33dcdde306525f9dd0bce6b1b88dd.exe
224	17b33dcdde306525f9dd0bce6b1b88dd.exe
2960	17b33dcdde306525f9dd0bce6b1b88dd.exe
2960	17b33dcdde306525f9dd0bce6b1b88dd.exe
2960	17b33dcdde306525f9dd0bce6b1b88dd.exe
2960	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
1956	17b33dcdde306525f9dd0bce6b1b88dd.exe
3328	17b33dcdde306525f9dd0bce6b1b88dd.exe
3328	17b33dcdde306525f9dd0bce6b1b88dd.exe
3328	17b33dcdde306525f9dd0bce6b1b88dd.exe
3328	17b33dcdde306525f9dd0bce6b1b88dd.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe
320	17b33dcdde306525f9dd0bce6b1b88dd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4624	LYskoEIo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe
4624	LYskoEIo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4624	4536	17b33dcdde306525f9dd0bce6b1b88dd.exe	91
PID 4536 wrote to memory of 4624	4536	17b33dcdde306525f9dd0bce6b1b88dd.exe	91
PID 4536 wrote to memory of 4624	4536	17b33dcdde306525f9dd0bce6b1b88dd.exe	91
PID 4536 wrote to memory of 4080	4536	Conhost.exe	92
PID 4536 wrote to memory of 4080	4536	Conhost.exe	92
PID 4536 wrote to memory of 4080	4536	Conhost.exe	92
PID 4536 wrote to memory of 1816	4536	Conhost.exe	1204
PID 4536 wrote to memory of 1816	4536	Conhost.exe	1204
PID 4536 wrote to memory of 1816	4536	Conhost.exe	1204
PID 1816 wrote to memory of 2992	1816	cmd.exe	1203
PID 1816 wrote to memory of 2992	1816	cmd.exe	1203
PID 1816 wrote to memory of 2992	1816	cmd.exe	1203
PID 4536 wrote to memory of 2116	4536	Conhost.exe	1202
PID 4536 wrote to memory of 2116	4536	Conhost.exe	1202
PID 4536 wrote to memory of 2116	4536	Conhost.exe	1202
PID 4536 wrote to memory of 3344	4536	Conhost.exe	1201
PID 4536 wrote to memory of 3344	4536	Conhost.exe	1201
PID 4536 wrote to memory of 3344	4536	Conhost.exe	1201
PID 4536 wrote to memory of 1652	4536	Conhost.exe	1200
PID 4536 wrote to memory of 1652	4536	Conhost.exe	1200
PID 4536 wrote to memory of 1652	4536	Conhost.exe	1200
PID 2992 wrote to memory of 4780	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1199
PID 2992 wrote to memory of 4780	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1199
PID 2992 wrote to memory of 4780	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1199
PID 4780 wrote to memory of 3520	4780	cmd.exe	1198
PID 4780 wrote to memory of 3520	4780	cmd.exe	1198
PID 4780 wrote to memory of 3520	4780	cmd.exe	1198
PID 2992 wrote to memory of 3272	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1197
PID 2992 wrote to memory of 3272	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1197
PID 2992 wrote to memory of 3272	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1197
PID 2992 wrote to memory of 1436	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1196
PID 2992 wrote to memory of 1436	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1196
PID 2992 wrote to memory of 1436	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1196
PID 2992 wrote to memory of 2072	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1194
PID 2992 wrote to memory of 2072	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1194
PID 2992 wrote to memory of 2072	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1194
PID 2992 wrote to memory of 4132	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1127
PID 2992 wrote to memory of 4132	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1127
PID 2992 wrote to memory of 4132	2992	17b33dcdde306525f9dd0bce6b1b88dd.exe	1127
PID 4132 wrote to memory of 4452	4132	cscript.exe	1134
PID 4132 wrote to memory of 4452	4132	cscript.exe	1134
PID 4132 wrote to memory of 4452	4132	cscript.exe	1134
PID 3520 wrote to memory of 3252	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1191
PID 3520 wrote to memory of 3252	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1191
PID 3520 wrote to memory of 3252	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1191
PID 3252 wrote to memory of 2408	3252	cmd.exe	880
PID 3252 wrote to memory of 2408	3252	cmd.exe	880
PID 3252 wrote to memory of 2408	3252	cmd.exe	880
PID 3520 wrote to memory of 1700	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1190
PID 3520 wrote to memory of 1700	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1190
PID 3520 wrote to memory of 1700	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1190
PID 3520 wrote to memory of 5000	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1189
PID 3520 wrote to memory of 5000	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1189
PID 3520 wrote to memory of 5000	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1189
PID 3520 wrote to memory of 4616	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1188
PID 3520 wrote to memory of 4616	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1188
PID 3520 wrote to memory of 4616	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1188
PID 3520 wrote to memory of 740	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1187
PID 3520 wrote to memory of 740	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1187
PID 3520 wrote to memory of 740	3520	17b33dcdde306525f9dd0bce6b1b88dd.exe	1187
PID 740 wrote to memory of 4308	740	cmd.exe	1183
PID 740 wrote to memory of 4308	740	cmd.exe	1183
PID 740 wrote to memory of 4308	740	cmd.exe	1183
PID 2408 wrote to memory of 4260	2408	reg.exe	1182

System policy modification 1 TTPs 40 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17b33dcdde306525f9dd0bce6b1b88dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
"C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\tAIMQEYU\LYskoEIo.exe
  "C:\Users\Admin\tAIMQEYU\LYskoEIo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4624
- C:\ProgramData\kOAggckI\JIEAoQss.exe
  "C:\ProgramData\kOAggckI\JIEAoQss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4080

C:\ProgramData\FKgcsscA\usYcQYww.exe
C:\ProgramData\FKgcsscA\usYcQYww.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amAkEcME.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:4132
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3424

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOkQAQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
      C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
      4⤵
      PID:1516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:112

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3184
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sggoYwUo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:4708
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGggQEgI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUcMMckA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
        5⤵
        
        PID:3408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
        5⤵
        
        PID:944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
      4⤵
      PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewAkoAsA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:4644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4264

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:1320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3024
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQYckAoo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1176
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1100
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3368
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWQggAow.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:1072
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:392
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:640

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcYEUMMI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4920
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2992
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
      C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
      4⤵
      PID:4136
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:4780
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGQMIIcg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:1556
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4268
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKgQUYkA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:3424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:424
  - - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
      C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
      4⤵
      PID:4700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAoMoEsc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
        5⤵
        
        PID:4052
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3436
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:228
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4656

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:508

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:2292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2764
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4976

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:3548
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGQYoksM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:4852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIoYEIEk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4384
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:4724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4492
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4964
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUAEUUIU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
      4⤵
      PID:3116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuUAgoIo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
        5⤵
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
        
        C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
        6⤵
        
        PID:3252
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:4396
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
        5⤵
        
        PID:4700
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1556
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2380
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4976
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3728
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:2552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
      C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:320

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYoYQEIw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:4820

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcYYwAgY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
      4⤵
      PID:4596
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuQwUYYM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3616
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUMkMcIE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2544
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
        
        C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
        5⤵
        
        PID:3672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
      4⤵
      PID:2304
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mskoQIEU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:3648
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4780
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:5044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Checks whether UAC is enabled
    - System policy modification
    PID:3368

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:808
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4792

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:944
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:2908

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQQcoIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:1196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYcAgYEA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4248
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MegoEwIw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1492
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:3404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKogEMMg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:1196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:4336
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUQgsgI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:1664
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:5092
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UikQYMIU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2532
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4264

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUQsIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:3772
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3272
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:5044

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAIYIcQg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaEwEAQs.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:1664
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwYQUcwM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:5084
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:1652

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEYEckUA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:3192
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKsEQocg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:2040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoYMAYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWIUYoIU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
      4⤵
      Checks whether UAC is enabled
      System policy modification
      PID:1492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3204
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqIAkkAo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
        5⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2256
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
        5⤵
        
        PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMEsAgwA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2712
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:452
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2336
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:632
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4512

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:3308

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIkAQQAo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:3000
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:452
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2284
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAYwwkoY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
        5⤵
        
        PID:424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:5044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
        5⤵
        
        PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:5004

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dScMokkk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:3160
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4680
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4444
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2764

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:1168
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeAgEIEM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2292
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3120
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiIUcwEM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:3192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:4032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buIkYYkE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4436
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1424
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYkIwwsk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmkoogAM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2284
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2532
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puwMwQAs.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqQQooQc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:3332
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3412
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOcccgIM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:1004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUoscQUc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:4524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4860
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUMggwQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4048
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmQgwIIY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYQMUUAk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2236
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:1608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1648

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuIYAkIk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwEkkkQE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMkEUIkM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqkoMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1696
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:4436
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3076
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igYwEwAo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:944
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4880

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUkIEcwM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:2136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQEUoQkI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:2256
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3740
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:3616
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:452
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2712

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYsoIcgw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:2168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQUksUoc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:228
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkcgEMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2612
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaAUccgc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
      C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3740
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:1328
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGIowoYw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2688
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4268
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IykAkgkM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:3736
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:1560
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAgkEMkI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1068
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:2072
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEIkMoEc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgAoQEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmIgMcYg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2904
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3772
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyYsMsQg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    PID:4260
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    PID:4684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1816
- C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
  C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:2544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xugUMcwE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMcwAEIs.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voMowoQo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1304
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1956
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEQQYAEc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2296
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4452
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:1608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoIkYAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4492
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1700
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUsUEgIE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:1216
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaUQkAwE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWcMAcMY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2276
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4448
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4460
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
    C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcIUUcUc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:4504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2140
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2348
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1652

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIwoMEUU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:5060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUkMMUo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:4620
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goAMwcks.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2380
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3124
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:1664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEAYYEIw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGYgYgcI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAEQocAQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4984
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAwksYgM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  PID:2336
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcUcUYMo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3124
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkwQgoQw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4840

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:836

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
PID:320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmEAMAEo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2236
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
  2⤵
  PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3204

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKMQUkEw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1920

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"
1⤵
PID:3844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Modifies visibility of file extensions in Explorer
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4276

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgYEIIgY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FKgcsscA\usYcQYww.exe

Filesize
103KB

MD5
3215bed6de263fa4fc18409e6fe84f64

SHA1
8e8b90b6aa38c85d3e19a5e260e169624fc607bf

SHA256
e681365880ccfc7b0e580c30da060280ccbc38ed5fbaea46d501436a34ea4bae

SHA512
aa9043ede13f22bad1a71f1cf9b5e216486dc31a10ad36cfafb514fffb9e3b01d899cfe60b5b2c3ba8031b66abae6bc8cf15e0c340460c8b3b64a68f7a4815f3

Download Submit
C:\ProgramData\FKgcsscA\usYcQYww.exe

Filesize
92KB

MD5
3470e4990d142a7bed931c163871c086

SHA1
a314a5b021682f868fe8ab56ac2aba1737536756

SHA256
2320d5e2bafe31da4a76b1ad608c0b9d5e50d3dc7679b7ce70832c7e6e59e81e

SHA512
25df9719183bd3ee8675a15cc9a8a3dd6d1a5df61ef0278658ddc51698f673f71082c3e99bc8685d5e6f74aab819da41c6055ebcae2930237d28e7670aba15af

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
1020KB

MD5
ce8dd821b9ec8994c7234989b2bdd7d6

SHA1
a61fb40056cf7c5b0283f1a70b87a19955170c35

SHA256
bc7d7e5af8ab7770aa9a7c7c015e9a4e6d99a176c001c70b38d1550bcf5f39fa

SHA512
9b0b704da00175092a6262039ae5863bc237c6bb324a6f433e02b45cb8c097bd2174b93c7c68d242db317434a8e1e244750564977187a0cedb8d2b405f384397

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
883KB

MD5
5ce21ef77ccf11a0578836cd534c27f0

SHA1
eee1c44b9648d41eb670375118568e4ba6e3ad95

SHA256
eda04c62b6a420b9b022b9443bd109ccb90073316a2151ba37f78f639ff1d57a

SHA512
646051121d9674b3eaad3af2dab2f6a3d3403e34f48321e48dbc66e09216804c60eeb9e82eb26f447e75a9a64cb12748cab5212aed304082144805256fc3dcdf

Download Submit
C:\ProgramData\kOAggckI\JIEAoQss.exe

Filesize
433KB

MD5
fd6ec0734ee03abd977d672adcdf0b58

SHA1
5fcaf18328aa4df55886a396d8220f5f4560b53a

SHA256
52348950ba51631dbda69eee47b3a726c9c976813d93d7d2371c87547553f579

SHA512
9fb0c4de5be45d37b5c460b3aba8f5551f2d3de82e64a796c4438e64164f6b9e5f97599a1937d6ceaf683cb66b21132da8219222f1a9f7d58e9ea5049acb866c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

Filesize
434KB

MD5
37990e1a67beb4ecdba1cb73f5e0bdc9

SHA1
9adde0f10636ffa4694a17dbc24b94db67d2f349

SHA256
5385fa0d8453490368c487543a20a0e891d713189ff4ce047db326034a3879da

SHA512
af9d8a025536649553676188ba8dcde9364037d8ed78144bbf367f71d90c4aa2dddf0d1203fc6439394dfc5c91a29b25f4f13a1cae14f1f3e25374ca477f4ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
811KB

MD5
51526b49525cf54c28af1a0bddcca97d

SHA1
09f6d5cdf9cd6fd159f45b96e9d1b4d05440ef32

SHA256
d583055a47b6881d0d037e2bccec8c7501286eadd670a5d1c097fcc3c35f0e54

SHA512
42b8e91b425cf294ee8e9b5d458b682527624086ecb6fbb46c69dc184129b6d176e7ae1ada75676b86e78e1190498fe19daf66a6ec125db7c94742ed1853adc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd

Filesize
48KB

MD5
6f90adcbf8a3254558fe0aa75e416573

SHA1
5e5baaa632e90d78297f3c5edb9c592f15c53d4d

SHA256
e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb

SHA512
0d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUAe.exe

Filesize
437KB

MD5
ea770126ca7d49360e43205caf5bbe3d

SHA1
7466f093192fb263c7a86da5d90e885360e8ac90

SHA256
fc631a42bf9a3526b583365aa9b9f235413b465c4157c9b7b92d98530098fdd8

SHA512
937e4fb6968574087a7b9c7ef60413feb882aa0d56bfe9c1978f140cc98653047cf3936738e01df45a1c4cb6792d2932cfcc8def3711631ad9ff161add87fa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYIc.exe

Filesize
560KB

MD5
48f08a110b85b5b9193ae8578251c372

SHA1
bbff29edab9c120fc3b5a79d8ea7b3f1d9940cff

SHA256
3e3c1d51d84eb655a97a39973c8dffe301cf15dafa3f6fbaee340b8cd0f3ac84

SHA512
75b47ed3b7e41ddac1798e4fad11ebbb4fe982466afd5d51bdf1f3826b353bba9574c998c3fdb94fbe7a3b8074613ae7d7c5cc0d35250791f12b6acc0fbc8137

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQcI.exe

Filesize
438KB

MD5
f4777e7fe2f450c00ce19c01e15443fe

SHA1
64804395b5a5420d589590fc689634d959e9dadc

SHA256
7dccefb7afdfdc99837d7312894050b86e9c3e953a5279a22d9b5f3528d4f70f

SHA512
bdeb1581a570055d5a6924ac0b76869e6aec7d92516bb67bdd9305cce9dfc00ee8f0d9c5255846770d7c103ccd12c475ec76a7f57df8c5157234501c75960892

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkcC.exe

Filesize
435KB

MD5
2065f9a6c62cc9bbaf542996dac2d209

SHA1
f880df3090dac7385c5edaf031ec30eb174c9c52

SHA256
09dcc8a0c0a769fafed6a19560ed4bc6762f1b824043adef76d03515d25ed9da

SHA512
dcbfa26a8b6db3804c7c0e459206729aaad5a7357a1850acc9c27d9ec8a40b8f3be0cbba6967a306f6d8c3ddb4a6730c33825b007bfd4c66fb83e61777dfc870

Download Submit
C:\Users\Admin\AppData\Local\Temp\EogM.exe

Filesize
5.5MB

MD5
ea3f1d2c9a0394fa8122ff14cc033f60

SHA1
45abea7799315cc613268d8abeb6af25a122881c

SHA256
9359946dead86bd90b07ee5c4d1643d0b999793be7270dee723fa1a23a24eb99

SHA512
8cdd5a6c6d0846053db24312fbb3291bacf25193fdbf55cb06cb7dc52ecf420dfb2828b3b73905bbcefec195a2a1da9887e8af53dd4559e1de7d5d32a7165555

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkUs.exe

Filesize
435KB

MD5
9d75562c0225bde8a1140b20eff924ee

SHA1
7d61bd158abddfb90bbf2051d583427dda764f2e

SHA256
7339e24991285828654d3ed4b16adf213b78611b48cba684d20adf943ea2fad0

SHA512
2e9b68954fa22473f4ae96e21739f19554b635b24435a6ceed93a7c6da900b0707c6277b75ffac61ce358fffd7551cf4abbcfc5e624203484b73ac806292f33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIIk.exe

Filesize
441KB

MD5
23b6acf73ef5a4da81ea83ecf7f8d86d

SHA1
daabf873c4d2ba87fbc0620b4c295a9bfdbe0815

SHA256
7187eb7e268d3f0c44bcf915d6310452545e57ec69446e36009028983081d629

SHA512
2c20ee3178f7663013964ae994b478fb67548e30d55441c73278cb912a3ab4dc0da3c5121a354e510b988d7feab8bd982845fdf73cf4c747311943b1383de52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQog.exe

Filesize
470KB

MD5
8bec6c85711579216d00d4656ad6c660

SHA1
43afeb81d424d1a7562608ae6882086039d9e00c

SHA256
33e5338853cfe67800788264849a9f25ef62f92b10c9fb71e0046f49de13359a

SHA512
8e3b552ccf0177f422ac462b3e964f47e1a182a94aafc4d5bdfee195612289fa810adf4ca1e5cb994695c218ae1cf512266e2cf3b911809124cd2dca87887a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsUg.exe

Filesize
438KB

MD5
dd16fd1a30cb69e7851850ef0cf41108

SHA1
86f5fb4daa4b541af8c3c28d053a5474ef49e11c

SHA256
361733330d686e024b69d132aab589a64faf4827b772a800cc42315dfbb9e80e

SHA512
fb477f269d1d121a28a4eb9638b67b9f2a36893386ed67de89165523bcb53dc8de39bcd0f5146c1525c18cd462407b5e540fd5f3c263a2a837fcfff4865ab017

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEwK.exe

Filesize
435KB

MD5
26e88f2f26e053e6a481a75c50771eaa

SHA1
2c4d029330be1c4a72c85e46c3c746082cce1d6e

SHA256
e54d83c7592ba7782c962dec0ef0665003e6c3786a6c9c0cbb0f1b92d6de9788

SHA512
3b3e3932084b1a850a859a8ce4e1e330ac69a7bab6c7a8c9de3db1007bd586d6b8cbec83f4b6139e0c02162beada2dc3348e0492a5ce5d1d09d729eeb002617c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUM.exe

Filesize
436KB

MD5
6698fd217f8cfe3f5543da64322cbb2e

SHA1
782ebc3bd92293d9ca3b0f33a0af67b9e963d944

SHA256
14656c3fa5c8a6198c44cb19929affeb004c617d1c25527312698aeccb77efda

SHA512
f81512673faf40579dbcf6181c51b7c7d3ac2e04b1e089dbe60d14f6f400f8d0ea4328c3105ca9e2d54c01e5a7c08017e062034d9d2709adeeed6f876b71fbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYq.exe

Filesize
890KB

MD5
3e6b878b6ccabef920084c20275ef29b

SHA1
55c3786c8b02d3e1285606e311ff8b6ca683621b

SHA256
07008e02c852f26360988f9bc483f3e211ae67bc22c576cc898f23a1a076ad1a

SHA512
9a1ff5cac3bff5235cff544c4a15716ac458f0fe4a77572677452958fbf12bd0c3b347c6f758975f7e7ad8d68727aa3d2d7028528b7a5f9f98fd1bb5ec5d1e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMUi.exe

Filesize
1.0MB

MD5
45c887e5f36820621021a35736e97572

SHA1
813ea4a463f129dd135ef3610d8d00c8dfe55341

SHA256
af3bcdeb21e0a24173277249d645f2c9707d9d5d335c59dee3fdafd5aae00e14

SHA512
8e63b6734de2e612f429915454726840bba0ac45d72c90b2049d1f126ede65dc43a8a73bd1787851e6f44eedc6664074e440da001cb8118e6edee795f9e1c890

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUYI.exe

Filesize
443KB

MD5
e590a74526830a10d8cef4e5b343f24e

SHA1
6e7a4bdd0b0d0e49d50e82d05f328fa23dce2aa7

SHA256
c983f8e8c48a015ef26b2f9bd82c42749b9e7dbe1f39ec6f5476f4648fed2004

SHA512
e4246029335ee50cdc72ea41d227c34d66105fa68d1d516aaff1ae32126ffb7b86d533f7ed19ed8edaaa29803902571bfee5fe1f882b3336727a0e161bd2d79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgYi.exe

Filesize
434KB

MD5
b6ef99d435f15ab4c336fc324fa8c9d9

SHA1
8824667d0cf301761f8b70bd80a9c2775503b844

SHA256
3c4aa90f89380b88ece3389abaeeb0959025b4f918f1370f92d0a32d789d9974

SHA512
f7529c28f0c93b875974b877a8d5aeeff4c403bfe6c0607451ab21f8d8f540bc5ed0c8032100ffa38db2a8d055578a9b44907ae62af3049075a53724e6269592

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoUa.exe

Filesize
436KB

MD5
5ef58682d78a651ebd0a82dc738b39e4

SHA1
277e69f5b5959ea1d5e89a8d9e3167d64ece990c

SHA256
4f7f5bd66e734ecf5d493e109e2a34082375e98ec2769079cdf38485223a9528

SHA512
aab7d8f89895ea6733cb3548fed43025ebef00990adb1d1b3fee032c0bed351cd7672138ad469b946db916d1717914052c938b2397692c6de673d58194e2c681

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUAQ.exe

Filesize
606KB

MD5
578f255685d5475d2a117f0bdaf019da

SHA1
c869bfa6c408c25810aabd09650594ff2e5eb841

SHA256
a94b848134c97d3e11d0a36888b8aed04a7426bcedc8b88c35561d5336c0f8e1

SHA512
36a1b676ff83c91af343ac4269a2ba80bed3bd117cca97d3e6df1d232a606805dba60a0bc8b5e2e549d57eb96a252bf6fe45b520825d18bf65007f3ecdaeb64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sskw.exe

Filesize
529KB

MD5
1d909e0fd64652931e8e4bf3eebfd49f

SHA1
3291e1bd159e46e320904e4b2347d9c295274508

SHA256
675cca5d90ec30bfa5071764864e594e80dd354dba3641ca7c9b3a49fe0fe106

SHA512
1d6995f050af293f6b407bd4ef3b6ac23ec1b613501b63d15d9be84e53798307c7d2529a5cd0bd3ef0beaa7a823b531b67f745ce5702056cf7b92723abbc2015

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ueos.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugcu.exe

Filesize
447KB

MD5
37e7c627ef170955f838f1a2968c8992

SHA1
f21744ceeaab90c970d16a0cca4d9e435ea57a8f

SHA256
792f8542bee7572d5e3b72843e2c2521b3217095135c649afa69e80aa2ed0008

SHA512
9be4e6415a137979db007b43f668d4670e51e3aa16af1a70809d8174ab7c22a80800a2a995b97bb9bb65eb31f51521297e7703e3d0fc8d85770f8828add9788f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcIQ.exe

Filesize
502KB

MD5
e0324ea7de3de8ae0129cb2f7e32d950

SHA1
683379db11431652b67178a97e4eda96fda87dda

SHA256
d0a750a6f8f03c7aa0f269ee73edc85d98c6a2209bd3baa8bbff15439c8c2087

SHA512
400ebf98ba46e558c732b787fce3ece87e9f63fddd6a2e8a6b0c8770003b71c9d27e232a792058d47a8de30d9b67525c00f1c0ea4d2a83a64da186a4262aa6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYAC.exe

Filesize
509KB

MD5
58bc0120358f3509d266c45e8250857e

SHA1
1be2114e589437558ac1aa109ad6cf5deb3ef414

SHA256
94f24340dada19f8f9f6de161d05ebc109be7cc3911647a15993a124baf729dc

SHA512
1ac70abf9218030d7302d06f61e1d104dbd75cde5f6c785ed8112dd7fe0fc81cd2cf0d3f2727a365bcf91c79637f85f32853c900f7fbf67b8a675bb78737a967

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggy.exe

Filesize
6.1MB

MD5
8452c5969cd978fef0d1a59b1dd3049d

SHA1
cf83c01dfadd404f55b45fbbc37bdbb3013993fb

SHA256
6bd3fec65b938d3d214e0339942ec9b715d3194b582b982efa68643798967031

SHA512
202d7b7f1b739aedcba8ec777b0940b1db2d366781386c66104f22c8af21264a87b038408b36c8434b4788e2e017248edd264f43a07def56e60513290a2447a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\amAkEcME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswm.exe

Filesize
437KB

MD5
85f94688b4ee12f0a72a57afadb2902c

SHA1
c31cd2a431452db9c57871a5f8f7aeb758b79918

SHA256
e25aed80f726c2ad11407e127ac0b80ef57a7e3806ef2752248966fcb1b99d5e

SHA512
5af68d9a7a94fbbd88b1a42228b25b8864f270658f5a49555ad9023c386b4380e0e0a3cf0ff2eff09e5745fa2f815e2a5eb7975ba3150e76122cdd202e466f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYAe.exe

Filesize
1.0MB

MD5
3ab942f3a37ccba180193acb6b4af22a

SHA1
8574751395af40c2ed9f494d0ca5176aeffcb686

SHA256
05bdf1acf8b6c3a1905e181bbbf0a6c80d76cd2618b9f5d0e3dbfa2d82ad37b2

SHA512
070b66fe2d24c596444790cd0617d3eaa50e435c7cd1d6cb8f8cda20fbcbee8d623417ad4682b6f02436d542caafd63c6dcbdf24aa99f08b6142b5d3ffb6db9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYQS.exe

Filesize
557KB

MD5
cfb43cfe3c99db06ce1effc2d0cd69b7

SHA1
8326d91a7b87903886f994144ea179c37db8c143

SHA256
360834a541d635fec00045dd6befc4a809ed079165d9b03a23a460c87b384d3e

SHA512
c9de96931d9e371f5c5b070a7728c41bf9944e17a396eca2c478e6894729e7d41e29735c409cb926b607d30d021de68995aa57b0b86e9ea88a464fea3ea4bd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekIM.exe

Filesize
442KB

MD5
a8cbffad4fd7e5c3f0b1097433f4851a

SHA1
4ea6f3537932e85821c5008d8663c1384a3f09c9

SHA256
aeb48457424b61aab45e84864fbb6cc216da2971cee943c5db58275d07787274

SHA512
c6612d72cc9b4c556f1f42390fe5567fec8f92da8d24fb9f7194fe295a67bc3858a5e282933433d57359aa9eef5562fd40d4faed7ea1c432cbc37450c74672da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekUQ.exe

Filesize
474KB

MD5
2669d64a35873102efa67bdcdcccc825

SHA1
61618b06b805016d9c633a55171257408e7ee89a

SHA256
437e62eebb751c0b9ed207fe4d8bc85fbe635236c9252a07d2aece4c58edf017

SHA512
3763703d7ba23d41354ce684cb1136c1ea0bef6f61fa024218839fe51a0d0733098f5aee72fc57cf48fdbcbd31ba6069e49768daa3ac3ec085758f7b6309a5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYco.exe

Filesize
618KB

MD5
c12ade8adab83ee12fbfb150023ea3ca

SHA1
8755b1d7aa4e33c5ab574da5a469b3ca5aca87c5

SHA256
80d6a931f763b86f1b3aa7b5c9003a5545673c2e990ae10d692c8310c47c5e0d

SHA512
6ef2042171a5d3a9a957dcd17b5e2ce60efb3c50749370a731de695a0755664f80d64d0a2cc7d72ab47400c1946db0baf57524d4c0bc0916b03da363b1cbfc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsIi.exe

Filesize
537KB

MD5
bb49b3354f827d61143c84f42afb49d5

SHA1
f8c170e78356b16d64fb093360660b50d011adc7

SHA256
85c5ffa2590e54c2b7165d6de0eb904bfff5b11a1fe465a6382115a888538f7a

SHA512
44c214dcc29d7103a5f87bda4b1eb2dea43e38c1c8d740537caee2fbb62d8f8ba01ab02a1d0c6ee5ebb07ef2fccc852cfd6ca226b2176c0b2192da7ab03170e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\icUc.exe

Filesize
444KB

MD5
bf51a91a43d8e1aa6f16f9abe75731aa

SHA1
6cc4f410e44e16cf7a946854c5fa678f1047c211

SHA256
94d83d0862f28ce996b4bb8facd981c3479891b9e7d3d0621f6870c6e8302651

SHA512
8249d3c70fb66c4c5282cb1449bfc5fd97d58dff655044f3a317dbd9c53114745d998677db212c38f7c88f2125b0bb25abdb72a3afcc7eee29342eff8b347b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQIY.exe

Filesize
435KB

MD5
de8cdea5ed421161abd20702159a408d

SHA1
264eb347501cfaf6f808da0d14428e383813d0d6

SHA256
1325af618740faef4793b5f0337ebee898771854bb1e1b2a8897bbc19ab830ab

SHA512
5df39ca152bf3be9cf3163f076b5a1ee75f3715b71a4fdbfd40a67c6c5ae9a1d478e63b147735eecf03bde61e77c34b287e09ff5483d069002de2e64e1ee41d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgs.exe

Filesize
442KB

MD5
fd9ee228781c5655379cec54de7fdfcc

SHA1
6fa15fccef607bd22e051ca2ea87e654d62f21a0

SHA256
585cffe1f4d563abf7246b0829b42fc1eebfc73646d64eb1e8b8f224a08d6253

SHA512
d05017d040ef9572db280d7401db96ee79a5dd7373f063e6ed83c6b601965c078b8031938538f9eaf8d0ec7536ddbe8350308ec0266160f7a9c120c2a00b43ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgYm.exe

Filesize
673KB

MD5
726c3cb2e6fa36396049eaf228590f8d

SHA1
3ed5a46d72723921a8908e28dfabe0e1d507f110

SHA256
18c80e525ad4b61bf67180d45ed21d10ee6a908358d2ec7cda759f000b6f8fb6

SHA512
cc718c9d27de81a49654958db24fb7ee2aa6a4e9bb8931b18551de962a3c067dd02dec7463bb798f1eb0827ebb90147113b43f99ac42b8a984491f1b3ccc1f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEIa.exe

Filesize
439KB

MD5
5c9e3235e50d9bfc9c1e7d9cdb88671e

SHA1
824cbfd4465b2d8ec0b8b4ae7a563d4dcb8050c0

SHA256
cb902a88532cf409f1c14876a7ab69289537e7895411eeeda5375da196d155db

SHA512
0f356749c47c1265f34fd4417fa5838a849ba06a46906087a3cbf8eb08622391887ae25cd7001eb66ef675db1175ec36c20d32fa56e19539f7e8a371cd78944d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQcU.exe

Filesize
456KB

MD5
0165e26bed92551aabc52b293c4a9576

SHA1
c5abe68b9b9947f3f65782bb29943484eae8d2d3

SHA256
a9b8de4e606593b28e8af30b5c3c219c93b53f1c7e280d0682b6d81ec16df408

SHA512
f0c3904be6e457a00ed5943d0436cd4a6129e8a385e48d79a2f447567c878dd98a0b0e6aecedc5b6210b3a31fce2c26eefb163d4703dc91fced6849979439928

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGwU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgco.exe

Filesize
1.0MB

MD5
88e75bdaf2569e3f565adf5876609fc7

SHA1
0c3649845d5a8d69a5b279e66a26155a2e4b49ae

SHA256
1f5e6a2c3b93d29be5f8e656de1bc65d8eb4931483397d0021ba01154e360b6e

SHA512
73ca289924fc4449277bd565a614460fd42e1d83515a24018e434ab4963a48593b33e547b038ea58743a4181450961c369e01ad952b96dbb92c76e3a40f7fc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQU.exe

Filesize
880KB

MD5
0ffe7b76bcbe37d5b54c3a0a9eb3d52a

SHA1
d0a628218e53c80d8b36450a0330943736a6131c

SHA256
fb5e8c85c6a8078fd92b5695b57eab1e17c37ba40a98ac81eab61187c8b6354e

SHA512
acc558b07ca5eabb32b27eaa8753eee8f3c0f91d710075be41185ca144e7fd6e0fddbf5f35187386d24871ba923f0426cd9539e5ab7e255e23f1086c307c04a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUkm.exe

Filesize
436KB

MD5
5b01527d2c062d266e40f3a0f4734741

SHA1
cd46d2474cce72631e6e0c46715dfe34d0872ba1

SHA256
f2e7ec93cd0ba41ad55364e15bd1975f840f11fbc955ee5f5413d589a717e666

SHA512
bdfd543cbd1351f19f52a6ea46135b81ce9f2ded8066fdea782f160f99be003f048cc6e6fde43c238227615f8ef6c3460b14281454ffe27aff18145d662d7549

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssIE.exe

Filesize
1020KB

MD5
349704e4b79b48554e438f7666b08c18

SHA1
07e7375bdbfecbfc0ac1a5257ab9184d7d4f1391

SHA256
a0f4692702b0a7a79613d02f5d30aa2861df498076f91ff8908cd06c75da1b8a

SHA512
876e62f424b081a5f464cd65d9642f8c851be2c30d368dd0dad0376ba0155a14306a72bf8360395a6130746289a351616be93680586fed0f73f2fc2ff497b957

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAsw.exe

Filesize
444KB

MD5
f988acfc30c7b25c8b7dc490c3001c55

SHA1
9f1f3bebcbba7b78b7d873e6292d16f790298716

SHA256
d420546e03c8f4dfa0079fc21c70e7af0e30da3e00b37953469a88763701aea5

SHA512
1c29cc984ef66376eaec2aa5ad02df2311ddc1adf00824e157b7e310505db8ae4baa99a5e1797a89ef204c1cb33fca7485b723fb47e1132ec436d8ac535db93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwkC.exe

Filesize
440KB

MD5
a2a06c120724aa87773e18d05f33864f

SHA1
f6dec3b7627dd613dadf25532c48c301770f89fb

SHA256
1b7d8db2883dbfb61c038c5ead8f1e99d96cb5a12dbf349d4127f62a4ab6647d

SHA512
2b7f2475d201ac17616dd3c7cd23bb114f8dfb9b67c47b6736f8325c77691d8adbd6e353e1870eb3bddba71f6c7e079078ad7e023907b0d3ac486d9b1b0cf6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYMg.exe

Filesize
436KB

MD5
585610186622797f2faa675425b11b8d

SHA1
914b891546aa38d39440843d2874b51fadeb9d11

SHA256
064c59d8cffdd55f81eab360ee1d49dfbc8465dce477dcc873dbc4694345e7ed

SHA512
5f01e31abd3a46b2dec0bcf5103aa39cb539bb13615fc3fb11c77f38ad78c07d02a3b0d1055a7e3720ab5f8e0ad5aa4711254bf627651bd641f9a843fdbcd044

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymsQ.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\tAIMQEYU\LYskoEIo.exe

Filesize
435KB

MD5
d3c478cb3810f042c3b96426bb611166

SHA1
1290fddd2aba92553a349234b964f19f1f5cba65

SHA256
6030592ce55724b8ce9532babb2d9cd7c8f4174c794872906c59d8d8d76913c5

SHA512
f2b8b1423f6915b801938751e6e4d786085553df511159bfcee04eef43c4ce766312eb088882fc723fcbfa5399a607140c78298034f5dc04c485657c82d2f2ed

Download Submit
memory/208-493-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/224-138-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/224-153-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/228-54-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/228-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/320-116-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/320-102-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/320-188-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/320-205-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1072-64-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1072-77-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1308-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1308-128-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1320-270-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1320-283-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1956-177-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1956-112-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1956-161-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1956-126-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2136-292-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2136-279-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2408-39-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2408-55-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2960-165-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2960-149-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2992-30-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2992-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3020-90-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3020-74-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3124-288-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3124-301-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3252-129-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3252-141-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3328-174-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3328-194-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3332-217-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3332-201-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3368-253-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3368-338-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3368-419-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3368-237-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3520-31-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3520-43-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3580-265-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3580-249-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3940-401-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3940-506-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4080-111-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4080-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4136-339-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4136-297-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4536-241-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4536-187-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4536-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4536-85-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4536-225-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4624-8-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4624-101-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4784-88-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4784-100-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4820-261-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4820-274-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4940-229-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4940-213-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download