4543761f29eac6dfa0711885c17fd079c7182588b2c9ea57de8aebfabce8e1dd

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b98e81f1519cf3056e9d792e458143c.exe
Size

484KB
MD5

1b98e81f1519cf3056e9d792e458143c
SHA1

7280f2dd91e6c023724ac6fe65c16a83f3ae1468
SHA256

4543761f29eac6dfa0711885c17fd079c7182588b2c9ea57de8aebfabce8e1dd
SHA512

ed2af61f93c1cc049994d8eee1716bde286e89235c631c2eddaeaef8a338786001c6734a3957e7180702d143e7ea4b8aa073eac9bc420652fca6228f853e5d62
SSDEEP

12288:vD6kK42nuyp6eCYvBSUEVL+NXxpXDpRCd55agxgGtLkhO23F:vD6kCnuO60UULvzpRCd/aQpLkt

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 8 IoCs

flow	pid	Process
40	3924	cmd.exe
44	3924	cmd.exe
47	3924	cmd.exe
52	3924	cmd.exe
69	3924	cmd.exe
70	3924	cmd.exe
176	3924	cmd.exe
200	3924	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	XyMUAoks.exe

Executes dropped EXE 3 IoCs

pid	Process
2876	XyMUAoks.exe
1460	vWIcUMQM.exe
4116	tgQQIosU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vWIcUMQM.exe = "C:\\ProgramData\\tQwEwosc\\vWIcUMQM.exe"	vWIcUMQM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XyMUAoks.exe = "C:\\Users\\Admin\\IaMsckYc\\XyMUAoks.exe"	XyMUAoks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XyMUAoks.exe = "C:\\Users\\Admin\\IaMsckYc\\XyMUAoks.exe"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vWIcUMQM.exe = "C:\\ProgramData\\tQwEwosc\\vWIcUMQM.exe"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vWIcUMQM.exe = "C:\\ProgramData\\tQwEwosc\\vWIcUMQM.exe"	tgQQIosU.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b98e81f1519cf3056e9d792e458143c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b98e81f1519cf3056e9d792e458143c.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	XyMUAoks.exe
File opened for modification	C:\Windows\SysWOW64\sheLimitInitialize.zip	XyMUAoks.exe
File opened for modification	C:\Windows\SysWOW64\sheReadMerge.exe	XyMUAoks.exe
File opened for modification	C:\Windows\SysWOW64\sheUnregisterMount.mpg	XyMUAoks.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\IaMsckYc	tgQQIosU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\IaMsckYc\XyMUAoks	tgQQIosU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1936	reg.exe
952	reg.exe
3172	reg.exe
4552	reg.exe
1588	reg.exe
1608	reg.exe
1392	reg.exe
2872	reg.exe
2456	reg.exe
4332	reg.exe
4956	reg.exe
4684	reg.exe
2136	reg.exe
2128	reg.exe
2136	reg.exe
4752	reg.exe
2852	reg.exe
4500	reg.exe
4756	reg.exe
1884	reg.exe
2268	reg.exe
3284	reg.exe
5004	reg.exe
4476	reg.exe
1532	reg.exe
1384	reg.exe
4172	reg.exe
1608	reg.exe
4956	reg.exe
3760	reg.exe
2756	reg.exe
3096	reg.exe
2136	reg.exe
1608	reg.exe
4164	reg.exe
688	reg.exe
1748	reg.exe
1812	reg.exe
4064	reg.exe
3660	reg.exe
1456	reg.exe
4412	reg.exe
1112	reg.exe
936	reg.exe
1112	reg.exe
3760	reg.exe
2336	reg.exe
3240	reg.exe
4952	reg.exe
3980	reg.exe
3144	reg.exe
1812	reg.exe
1140	reg.exe
1432	reg.exe
1112	reg.exe
368	reg.exe
3872	reg.exe
3064	reg.exe
712	reg.exe
5032	reg.exe
636	reg.exe
3196	reg.exe
4360	reg.exe
4692	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	1b98e81f1519cf3056e9d792e458143c.exe
3968	1b98e81f1519cf3056e9d792e458143c.exe
3968	1b98e81f1519cf3056e9d792e458143c.exe
3968	1b98e81f1519cf3056e9d792e458143c.exe
4976	1b98e81f1519cf3056e9d792e458143c.exe
4976	1b98e81f1519cf3056e9d792e458143c.exe
4976	1b98e81f1519cf3056e9d792e458143c.exe
4976	1b98e81f1519cf3056e9d792e458143c.exe
2024	Conhost.exe
2024	Conhost.exe
2024	Conhost.exe
2024	Conhost.exe
2780	1b98e81f1519cf3056e9d792e458143c.exe
2780	1b98e81f1519cf3056e9d792e458143c.exe
2780	1b98e81f1519cf3056e9d792e458143c.exe
2780	1b98e81f1519cf3056e9d792e458143c.exe
3964	1b98e81f1519cf3056e9d792e458143c.exe
3964	1b98e81f1519cf3056e9d792e458143c.exe
3964	1b98e81f1519cf3056e9d792e458143c.exe
3964	1b98e81f1519cf3056e9d792e458143c.exe
4788	1b98e81f1519cf3056e9d792e458143c.exe
4788	1b98e81f1519cf3056e9d792e458143c.exe
4788	1b98e81f1519cf3056e9d792e458143c.exe
4788	1b98e81f1519cf3056e9d792e458143c.exe
2584	1b98e81f1519cf3056e9d792e458143c.exe
2584	1b98e81f1519cf3056e9d792e458143c.exe
2584	1b98e81f1519cf3056e9d792e458143c.exe
2584	1b98e81f1519cf3056e9d792e458143c.exe
4160	1b98e81f1519cf3056e9d792e458143c.exe
4160	1b98e81f1519cf3056e9d792e458143c.exe
4160	1b98e81f1519cf3056e9d792e458143c.exe
4160	1b98e81f1519cf3056e9d792e458143c.exe
4908	Conhost.exe
4908	Conhost.exe
4908	Conhost.exe
4908	Conhost.exe
4952	cscript.exe
4952	cscript.exe
4952	cscript.exe
4952	cscript.exe
2136	1b98e81f1519cf3056e9d792e458143c.exe
2136	1b98e81f1519cf3056e9d792e458143c.exe
2136	1b98e81f1519cf3056e9d792e458143c.exe
2136	1b98e81f1519cf3056e9d792e458143c.exe
1936	1b98e81f1519cf3056e9d792e458143c.exe
1936	1b98e81f1519cf3056e9d792e458143c.exe
1936	1b98e81f1519cf3056e9d792e458143c.exe
1936	1b98e81f1519cf3056e9d792e458143c.exe
4564	reg.exe
4564	reg.exe
4564	reg.exe
4564	reg.exe
2272	reg.exe
2272	reg.exe
2272	reg.exe
2272	reg.exe
3292	1b98e81f1519cf3056e9d792e458143c.exe
3292	1b98e81f1519cf3056e9d792e458143c.exe
3292	1b98e81f1519cf3056e9d792e458143c.exe
3292	1b98e81f1519cf3056e9d792e458143c.exe
3584	Conhost.exe
3584	Conhost.exe
3584	Conhost.exe
3584	Conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	XyMUAoks.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe
2876	XyMUAoks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 2876	3968	1b98e81f1519cf3056e9d792e458143c.exe	91
PID 3968 wrote to memory of 2876	3968	1b98e81f1519cf3056e9d792e458143c.exe	91
PID 3968 wrote to memory of 2876	3968	1b98e81f1519cf3056e9d792e458143c.exe	91
PID 3968 wrote to memory of 1460	3968	1b98e81f1519cf3056e9d792e458143c.exe	93
PID 3968 wrote to memory of 1460	3968	1b98e81f1519cf3056e9d792e458143c.exe	93
PID 3968 wrote to memory of 1460	3968	1b98e81f1519cf3056e9d792e458143c.exe	93
PID 3968 wrote to memory of 2476	3968	1b98e81f1519cf3056e9d792e458143c.exe	1191
PID 3968 wrote to memory of 2476	3968	1b98e81f1519cf3056e9d792e458143c.exe	1191
PID 3968 wrote to memory of 2476	3968	1b98e81f1519cf3056e9d792e458143c.exe	1191
PID 2476 wrote to memory of 4976	2476	cmd.exe	1190
PID 2476 wrote to memory of 4976	2476	cmd.exe	1190
PID 2476 wrote to memory of 4976	2476	cmd.exe	1190
PID 3968 wrote to memory of 2872	3968	1b98e81f1519cf3056e9d792e458143c.exe	1067
PID 3968 wrote to memory of 2872	3968	1b98e81f1519cf3056e9d792e458143c.exe	1067
PID 3968 wrote to memory of 2872	3968	1b98e81f1519cf3056e9d792e458143c.exe	1067
PID 3968 wrote to memory of 3484	3968	1b98e81f1519cf3056e9d792e458143c.exe	1102
PID 3968 wrote to memory of 3484	3968	1b98e81f1519cf3056e9d792e458143c.exe	1102
PID 3968 wrote to memory of 3484	3968	1b98e81f1519cf3056e9d792e458143c.exe	1102
PID 3968 wrote to memory of 1896	3968	1b98e81f1519cf3056e9d792e458143c.exe	1077
PID 3968 wrote to memory of 1896	3968	1b98e81f1519cf3056e9d792e458143c.exe	1077
PID 3968 wrote to memory of 1896	3968	1b98e81f1519cf3056e9d792e458143c.exe	1077
PID 4976 wrote to memory of 3220	4976	1b98e81f1519cf3056e9d792e458143c.exe	1189
PID 4976 wrote to memory of 3220	4976	1b98e81f1519cf3056e9d792e458143c.exe	1189
PID 4976 wrote to memory of 3220	4976	1b98e81f1519cf3056e9d792e458143c.exe	1189
PID 3220 wrote to memory of 2024	3220	cmd.exe	392
PID 3220 wrote to memory of 2024	3220	cmd.exe	392
PID 3220 wrote to memory of 2024	3220	cmd.exe	392
PID 4976 wrote to memory of 3064	4976	1b98e81f1519cf3056e9d792e458143c.exe	1188
PID 4976 wrote to memory of 3064	4976	1b98e81f1519cf3056e9d792e458143c.exe	1188
PID 4976 wrote to memory of 3064	4976	1b98e81f1519cf3056e9d792e458143c.exe	1188
PID 4976 wrote to memory of 5008	4976	1b98e81f1519cf3056e9d792e458143c.exe	1187
PID 4976 wrote to memory of 5008	4976	1b98e81f1519cf3056e9d792e458143c.exe	1187
PID 4976 wrote to memory of 5008	4976	1b98e81f1519cf3056e9d792e458143c.exe	1187
PID 4976 wrote to memory of 2108	4976	1b98e81f1519cf3056e9d792e458143c.exe	1186
PID 4976 wrote to memory of 2108	4976	1b98e81f1519cf3056e9d792e458143c.exe	1186
PID 4976 wrote to memory of 2108	4976	1b98e81f1519cf3056e9d792e458143c.exe	1186
PID 4976 wrote to memory of 4156	4976	1b98e81f1519cf3056e9d792e458143c.exe	1185
PID 4976 wrote to memory of 4156	4976	1b98e81f1519cf3056e9d792e458143c.exe	1185
PID 4976 wrote to memory of 4156	4976	1b98e81f1519cf3056e9d792e458143c.exe	1185
PID 4156 wrote to memory of 1448	4156	cmd.exe	1099
PID 4156 wrote to memory of 1448	4156	cmd.exe	1099
PID 4156 wrote to memory of 1448	4156	cmd.exe	1099
PID 2024 wrote to memory of 1740	2024	Conhost.exe	1180
PID 2024 wrote to memory of 1740	2024	Conhost.exe	1180
PID 2024 wrote to memory of 1740	2024	Conhost.exe	1180
PID 1740 wrote to memory of 2780	1740	cmd.exe	1179
PID 1740 wrote to memory of 2780	1740	cmd.exe	1179
PID 1740 wrote to memory of 2780	1740	cmd.exe	1179
PID 2024 wrote to memory of 1152	2024	Conhost.exe	1178
PID 2024 wrote to memory of 1152	2024	Conhost.exe	1178
PID 2024 wrote to memory of 1152	2024	Conhost.exe	1178
PID 2024 wrote to memory of 4128	2024	Conhost.exe	1177
PID 2024 wrote to memory of 4128	2024	Conhost.exe	1177
PID 2024 wrote to memory of 4128	2024	Conhost.exe	1177
PID 2024 wrote to memory of 4368	2024	Conhost.exe	1176
PID 2024 wrote to memory of 4368	2024	Conhost.exe	1176
PID 2024 wrote to memory of 4368	2024	Conhost.exe	1176
PID 2024 wrote to memory of 2284	2024	Conhost.exe	123
PID 2024 wrote to memory of 2284	2024	Conhost.exe	123
PID 2024 wrote to memory of 2284	2024	Conhost.exe	123
PID 2780 wrote to memory of 3296	2780	1b98e81f1519cf3056e9d792e458143c.exe	1131
PID 2780 wrote to memory of 3296	2780	1b98e81f1519cf3056e9d792e458143c.exe	1131
PID 2780 wrote to memory of 3296	2780	1b98e81f1519cf3056e9d792e458143c.exe	1131
PID 3296 wrote to memory of 3964	3296	cmd.exe	1172

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1b98e81f1519cf3056e9d792e458143c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1b98e81f1519cf3056e9d792e458143c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1b98e81f1519cf3056e9d792e458143c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b98e81f1519cf3056e9d792e458143c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
"C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\IaMsckYc\XyMUAoks.exe
  "C:\Users\Admin\IaMsckYc\XyMUAoks.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2876
- C:\ProgramData\tQwEwosc\vWIcUMQM.exe
  "C:\ProgramData\tQwEwosc\vWIcUMQM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1460
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:4316
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkwcUQkY.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:3076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476

C:\ProgramData\HIwMsssY\tgQQIosU.exe
C:\ProgramData\HIwMsssY\tgQQIosU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4116

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaoQEwII.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
      C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
      4⤵
      PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        5⤵
        
        PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
        
        C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
        5⤵
        
        PID:3096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkYoscIE.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        6⤵
        
        PID:4756
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:5064
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        UAC bypass
        
        PID:812
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        UAC bypass
        
        PID:5064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        6⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWYsokkA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4908

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCMQsgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3240
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3356
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoYkkAEA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:1316
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4476
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaQcQUYk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkAEcwcM.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCUkQgEw.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:952
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:2456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        5⤵
        
        PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:368
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKgEkkwE.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:4140
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:4552

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwEsoQsI.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4748
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYYgQgcg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4704
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1384
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4260

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKccwwQk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1544
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:4476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEQkQoAM.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siYQYAcs.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQwUUIwE.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:692
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2268
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3292

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:264
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:3116

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsMIsAQM.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:1672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2260
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:5092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:1512
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYIUcMcw.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSUcgAUY.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:4632
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:5032
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEwkEYQA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:5004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Modifies registry key
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1588

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1640
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3032

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:3720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:3148
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:3496

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auwoMwEg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JowQIYwA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcAYwccw.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1532
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
      C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeQokkAo.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:316
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEcMswYI.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1456
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OakYQIMs.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:3744
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3872

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4980
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsEYQcYo.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:812
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4756
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOAUwUwA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1512
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        5⤵
        
        PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaUAwAgM.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4128
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYoIwAcE.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQIQMkEA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        5⤵
        
        PID:4128
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4756
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:636
    - - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
        
        C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
        5⤵
        
        PID:3760
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1712
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiAUYwsA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:5092
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOsYUUIk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:3488
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3992
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2044
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1456

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYcEAMII.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:3556
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1936
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FowsMUYk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIYEowUg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAgYYsww.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        5⤵
        
        PID:748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:4956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:3144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        5⤵
        
        PID:3148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOMoYkso.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        6⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoAkMkIc.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        7⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
        
        C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:4412
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3716
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4752
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwooQgsg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:1980
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaEMYEcU.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:1588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4816
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4368
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkssIkcc.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:5004
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3356
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3096
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGEAckEI.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:3012
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEIEkoEk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsYkAYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:4500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYQwAIQg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      UAC bypass
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:1256
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:4360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqQwcIsg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4952
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4756
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMkwYcgI.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        5⤵
        
        PID:1672
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqAIcAkk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        6⤵
        
        PID:3484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4948
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1912
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        UAC bypass
        
        PID:4192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        6⤵
        
        PID:764
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1532
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        5⤵
        
        PID:824
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:3740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:1828

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmoQkYgY.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:1748
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:692
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3296
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOgMUgEU.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQMYgkoo.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4956
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1140
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:1256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOUUIksc.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuMYYwkk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCUQcIMg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lesAgsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:4692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:3740
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:2136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1368
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuYgoAEE.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwMMwgEg.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4788
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAsUkIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:3172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:532
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4332
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:712

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
- Checks whether UAC is enabled
- System policy modification
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksIAUsIA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOAkwgUc.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4552
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3172
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:3592
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - UAC bypass
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
      C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
      4⤵
      PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGEQcoso.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAEsUAcw.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:4712
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYUMkEgs.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:824
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1828
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4816
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2896
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4476

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cooYsoII.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1112
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsgYcYIc.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcMMkEoc.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyIUIEEs.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:3756
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4192
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1604
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2992
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAoYYYIw.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3760
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        UAC bypass
        
        PID:5020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAAwggME.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:824
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3464
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
        5⤵
        
        PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:2936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      UAC bypass
      PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYIkgwAk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQooIQgk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
      4⤵
      PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
    3⤵
    PID:1896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCgcwQcM.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:724
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1220
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:1856

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:2992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsMMoEwI.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWowQQcM.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyAgYsoY.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4484
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2584
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Suspicious behavior: EnumeratesProcesses
    PID:4788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEEUcMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwMgwgkc.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:4748
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1140
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1392
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgIcggos.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
    C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:3172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4556
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
  2⤵
  PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyMUgkwM.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1112
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:3132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
- Modifies visibility of file extensions in Explorer
PID:3144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1844
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4556

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:5020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuYQYksk.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:1640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - UAC bypass
  PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3740
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkMooIYU.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  PID:1844
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1140
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4692
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4704
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyksAIMw.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUoEEMQY.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3872

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOMYwgws.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
  2⤵
  - Blocklisted process makes network request
  PID:3924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3760
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwkosMAE.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
  C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4692

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:2156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIMEAQko.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYcAIcIA.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkwcEIMY.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSwwAUQU.bat" "C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe""
1⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c.exe
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HIwMsssY\tgQQIosU.exe

Filesize
433KB

MD5
89a69d9ef8991ce371dc33325a827d0e

SHA1
775d4febcf726208b342faad67c97551629c3294

SHA256
49ecb3e2cd19a88030925767fe3c46e482c451b8a4f9b3d763849a303c1ccb8c

SHA512
7f2a31b7037c74d61123786210d6e1603e224e99826105d075910f9f04e6c18ce9e6772a4ddfd5f9bde11b30786608b9dc3f6d5f812d7ba931e4edd0a92b0dbe

Download Submit
C:\ProgramData\tQwEwosc\vWIcUMQM.exe

Filesize
432KB

MD5
6a7a098f91896a1735fde69e29b0c1df

SHA1
033971c0ff9759d29980910b0aa08cd52a143f32

SHA256
ff8cfbbed6641df51167953334a401c2be411a63a6bee1d19ca2a71324e34086

SHA512
265e4b8e65d55fd20efdf5c12c150f9f75cf61cfc23eec591af5e9e1169bafcf54707591e3c6d243961e0b057640efa1daea1d71819e756dc55a24c99ed86865

Download Submit
C:\ProgramData\tQwEwosc\vWIcUMQM.exe

Filesize
92KB

MD5
589c2159e2c2d2acdeee0757e784c095

SHA1
8f2c3cefb36f6519b87dba1036b3c31f405d0c70

SHA256
bca92fc95118f0674b9ad9ef428326b336a23636e33be3c8e626dcc9018d2321

SHA512
023770cff171b5afd6a7cc1fee8a3a9084f124908002ce33164538d04048c040a8d9c35f3e122299ba2b58d1696fb5d7ba2f4ee0a000c45732c8e6d7f34be3b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
437KB

MD5
a3a8639d2a1b559e1b3f894bd098864e

SHA1
9f4346d434e120aecafc56a9734853f77d5e58a8

SHA256
04c925e9e6bfb32f726a5690cac66e2d65cf92ae3ac20bb1a8cd4dac4f1b8248

SHA512
c8ee7f9d3ec494779dab0c7c03632f13d143b6217b827468620e18747cb1867da4f53ab3e19d4412865294340dfdbb16a862d729f4690f9e3f08c79031a8c951

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b98e81f1519cf3056e9d792e458143c

Filesize
48KB

MD5
35cbde129d22ad6080dc8fed0fd3e185

SHA1
e29871c61fe34d7159cf12daa543e1679f3ef63a

SHA256
eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265

SHA512
009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYC.exe

Filesize
430KB

MD5
2ae5bbbb002fa37654632434645ce8b4

SHA1
abf24b4de0bf5b0f04f50dcf4f76f7200035a697

SHA256
fb79248e474a8dceaa03e0f848943eef958635affd764d84cd30c933d4f146a7

SHA512
386c6f52ea07bf092f02f2aa18e2b24684f37604223504530978adc4af67342d1c23a5d20f25aaaabee6255033a05444495ffb3adc52f0dc62a50e826b56675b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgsS.exe

Filesize
673KB

MD5
3aab0f8735779bd6c47b59f2b8228b36

SHA1
4d10a937ed122e85cc5693437ebdaf3610b6a0d9

SHA256
4430ce3719a3f7ef33731ec7045cf02d80fb96a14b31868a58b2f185bf9986d3

SHA512
b7c69c2b5b225b700a7478c7b52e63744cd756b808acc47ad7fed882eeb8d75224303a5aec483d9500be36efcfb9bdef7d68d9513048f3bc414ee4a7e9e98093

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUoq.exe

Filesize
6.2MB

MD5
a3d12e6168c52fbb3fdca23bd7235426

SHA1
15109ca8547273b209f70a71a897b8aaa8dd7241

SHA256
1ce1ecfc56490b3ce9a180ea9a84043d58f35860555fb1db6c5a0d035cc8a62a

SHA512
194c9021938525e900ed6bcd36362e84a0993972a2b4cba0af637fd116a0c68a48280ccde53b56a9d495723438ca404bf466f39833c1dff1e735d0fc2144e146

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgcK.exe

Filesize
445KB

MD5
a444dc39011109fa7d769efaefa91b84

SHA1
b85775d7925a2b31d507335b6a5294877100585b

SHA256
629f223f0a7223ade00d03e6757fb53b5122abc0e501c4c84ce606adbfa97dad

SHA512
39064edb835f7af7f07f8116165590ef5d9ddd9573a3ce73dd2753a023f7e6cb415a05d9a6efef8324c8df4c8946727582d5e9b907597e42c3b8b87558f74f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwwM.exe

Filesize
440KB

MD5
7591154c377f334edcb7d3714d4305f1

SHA1
c8eb63459aba47a7e35ecbbb7a3fad1e8aa5df9b

SHA256
41476dfc3b46a0c0ce7638f0e01320893d0e91e00526466b81681a9681c6e8ed

SHA512
f4f5355b594e4bb1a73ee41eab12f482bf4ad6a38d58d713097928be82dedf11db3f5e703f21dfef4eab3f580fa8d81f4effcada562ca7b3643937a51db75888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgQY.exe

Filesize
440KB

MD5
8585705f1bfbdf99bfcc677294829606

SHA1
0e1f61872b6247fc44a28c5b18e46b5c10a67afb

SHA256
b58569ac57eb56b2e7e18e3e8ee0ad2042583ed861da1447e43bdfed41580c5e

SHA512
b3f7bfdb7374181928e83ec6692ae8ad46157058f63b4f71cc7eb7fafcab7c8fd1c85a76f973c1dcccb07fa9c5442b672238664136d660d90f52d8e882a63561

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsIk.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQce.exe

Filesize
440KB

MD5
ca1c628176f64aca4e8da215add6dafd

SHA1
5fb580258c26d15802fcb6d5a69a50c473bca829

SHA256
4cfa62eadd16ce320bb040009bc025d616e922f087eed98617ddda49344682c4

SHA512
85b2d6de717673c51ba26309f9fcb0a44c7ca8c968460189882ef02445ffc0db853bcc49eb8124b6ed638c064aaed2bfcd1a2c321f52fa2eda1c096e13a30a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwke.exe

Filesize
443KB

MD5
eb8deb62409ebecdb951d24fc07ef152

SHA1
a730f1001f3ddc2be5c54157f9f89ef5af447c63

SHA256
8532c76d89472f1b998a55a59a54ab005a678506d4acf5890f6720402f7fff98

SHA512
98a40b1355a45dab8550857d5b43bc36a666e4fd3f0d073e262d15de07e3cc4ba01f570195ae8ebcc7b4da1edb660095bd13f9129dc201c1615b1ef9fc789251

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEAm.exe

Filesize
1.0MB

MD5
0176ee3a854ce1d55c8879c497a91ff9

SHA1
c4669e25d7980f5c613ba12b630abd9b14d0baff

SHA256
29350b8a21c99f06fd8d3486ff478b01c02511020ce90136e253b95a63239451

SHA512
c6a3289ba757977a96e77b7f8d9f1082c2b3cc2ffce6c5f4960a9f786f41bed52dfe9e7cb9dab6338b6e40ed8a5809a9340ea6fa921437bad96a2920c5a74012

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQYG.exe

Filesize
441KB

MD5
daa0f7566d38c4c2f9dbc8d13857ce1e

SHA1
42a961fbec597267a4ce3d8283f4064625f52b35

SHA256
9a0369cf798cfefd59bc8fb77c31001dd5c4dc5b3e66eac9a931a5a3d2dec235

SHA512
019249b8d004b506c74c8d2dd3664255663b235790e049102374e18000e7c22933f537efa66509d5b3b44a875a1c4dce65412e09a4bfdd2aeb5e104e23a5c6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgcU.exe

Filesize
607KB

MD5
4dc13d4f7caa934d44668c19eec792ce

SHA1
07aaf4477d68d681f9c80ba6679d969572d841d8

SHA256
4306413485df5eec7d3642d93f9665e5e1a014bbfb29472af4cee2dad2e8bfe9

SHA512
63f3422004cbb086051f7dbd7d0e7662d8f7643106c305e69b7590e1098cc47b09a789c727b8c08b9f69bb7f373c8093ff7f5aae8abf19e854d7d375a41c6fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaoQEwII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEMk.exe

Filesize
437KB

MD5
7ed636f56c1f9e229ab329e053b2e4db

SHA1
0585918d911f7796e12dfb03043f284f2a64945d

SHA256
e2a64dfcb926bf3c332f33efa701ed3c2391e01ddb70cffb0502cfedb4a9867e

SHA512
fef58cd60b01ebb50ee2e59552ce955dae2c07a0b4575adeec3116008f17fa77780b5010487a31157cf9656cd4bae2b65e70d284bb01cb446565b4b246088e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwQi.exe

Filesize
435KB

MD5
7e3c08000434ceb40d6ddb4e0b11c2df

SHA1
858a92f6c84aa72bb25cfe0677d570fd010af6be

SHA256
40dcac9e908e22f093843bc7326f794bfb9b024dadb5aab26c54abf4cff87f2c

SHA512
c9d76cb93881a097c340c7502e58d47760e04cb072f8ecf74eac94208275be40d33d187899465414154e0cb1f2f407d0ee5551ca6d9f097cc9a94f624bf346fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwsA.exe

Filesize
439KB

MD5
fca4dcebe177084d2ed3bf79a4bd3cbb

SHA1
72cc451ff0d96fe9edc7b2a68f6a29efb75c3b6d

SHA256
6170f280c7bb2893a44a2e999aac328c5782f040bd72490c1f1ab72e5fad9172

SHA512
dd055c9b3b33b8a1ab5c52f9e7c7c22f1e6912cf4ee35da48ce9a474050632de84ca3e268efbf4decea22acaf01a78592ab442777d5e9795154bf24e8b101f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUwY.exe

Filesize
445KB

MD5
b2e1bcf1b30417cc67a7abf9a023f036

SHA1
5b6131895a584f42f9be5b231d4fe18e7b85936d

SHA256
b37a1e3e70f517f8c7170d9c2346262b92b8179054145a031fa2cb699eb8434b

SHA512
03e729fb80be0b0a8cf02f37ea89200c2d8052587ac6a028bab8581550bf4d7acdcb95506834b20be93aa2c7a5c8304e2831b8b2f1ea21ac3c33d2d9d96b415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkMY.exe

Filesize
439KB

MD5
d44b6098b582f334a0f31c0df0f36ac2

SHA1
620f682909a59a9d749418b636481d8cac765706

SHA256
6304e04ce794e6aefbd09b33592442a0556edf70e80b630971835191d86b0788

SHA512
1f164563e5d93364be335f415f67ea79e21c616826694ddda66c103f95c08df0d2b3bc31c3976d304ed42c57900ab467c1ce0e72a5297f8c0485b6505379eef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIMi.exe

Filesize
430KB

MD5
f5ae334e16943be02adeb42c024a4e30

SHA1
1fb2b9592568d9742bb96e565311ada3d07ca784

SHA256
38e70304455a035329776e88c99ce338d653f20a5d31a251fcede91435400104

SHA512
60406763071132a7bf0c18ce3b544a3c419365be9b65d1768988ad876d9f219182e5ef41932ea453656408c8c78a2fc8457eb1979a841d2f429df505fe42def1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMoG.exe

Filesize
584KB

MD5
166f3569bffc89cb46faac44d785066b

SHA1
742a3532f9e7c62db2050931e036bf6421ceebd8

SHA256
9b40950312150808002efdb3c04a76746eaa266dc407c1283dc545887c1377fb

SHA512
69bac055204630d65a0c0485efbfd05f1e9d2393d69d06af0efe229f4d03741699ade4a777c82d118552be908f443b6c65910d180ab2905ac59f0606c6e2df1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYUq.exe

Filesize
1.0MB

MD5
d0a0ac21395b75692245a562fef4b156

SHA1
08a13990951d82a29ef51b1ab5f540d85160a188

SHA256
86bc65d05f0c0a9c274ff88ecda77e9e09201499599b4e4119500cafd0ddafe5

SHA512
33471b3f49bc6d5bdbc0cdddcf5cdc4a0565fc8a42c2f907e80a6a372158ad47bc2bd5a56019ac33807ebe348273aaea7da2a9108c1251a7b240aa344f82d44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmMc.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUgK.exe

Filesize
436KB

MD5
85cfc43d43d91a670fee6f86eb615039

SHA1
eaa64d923871fac57a931e59d46ef89cab56732f

SHA256
79aa6f15291d79493b7945fa3d76add2430954a1e0289155e11a049d7e9951c9

SHA512
319957b310b4332b2a37a02c1b6349438bf30949b93f7b4f3b6bd252c393582e96996e7f1b589edee6d0990f0d4058d88ab72491c17c5596a85fa4b8d146c604

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIky.exe

Filesize
558KB

MD5
c1c41679c1d922c39f4e8f6ea49c88f0

SHA1
9a2d25861a7a8edb40098f1c17d8d9f8da08fd09

SHA256
d0d959e05263803d930386cf74ff5ed3b8c37e567806802a694bc7e96269a248

SHA512
31174231231129adaeddc703184a9434aea9a8465c5f367606645dd79680aa58e46851bdae718e52bd9709cfeee4c21d279baec0108414ad8c35e22d7aedad99

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQku.exe

Filesize
443KB

MD5
96b42c95984d80510dd8d3422953c91b

SHA1
bcf03b7d5b1c301dab35ec2b3d62a73cc4ac909a

SHA256
2146485d4f002ae31cd9713e253c6974e84d4654a31bab5691a4dcec35591e57

SHA512
6588ed985aa0d5b9019ed0a7066510326236b258fb5dd02f2f6e88fdc8aadf8872477eeb1150069e7cc6149bdcfc184cf9aaa909b7c961a58a8cbf2e3e2550e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMAE.exe

Filesize
440KB

MD5
76618ed09e875d03cecd1a4302fbbe93

SHA1
c8610cf7ed84d67bfe054cc7f2b59e098ebcbf12

SHA256
59c31ff5ee69b336e487650fb6b3b96fb7d396abec07507f4250b49af8966ac6

SHA512
4daeb541ade1968217d92f040b904c63620b83f47e94a054436ad9a417940dc2bd3456680121f34ceb2920a72d53102dba893f772440f3ca2b577973cb095b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUAU.exe

Filesize
630KB

MD5
c15ff3b1c3bdb23e638fc7972604ba89

SHA1
f28ae1684c01144fcf0880cb7b48c70fa197e1ed

SHA256
e9dfa0f17a07a9eb55f9849e098476631801c2e0957b939a947939730c59fc06

SHA512
94a7fc9471e172a3fd4296fc0301cd44577693cc300f398501c8dad8eecb5e4df059642eb7c8dd302fe61886729911873a9e901e67e7274afba5be533742c2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocEQ.exe

Filesize
576KB

MD5
8ca58687858a99cf6cf7ea6b97bf0051

SHA1
d9a8691c80479edf80e44352e5b87d34a59236ec

SHA256
1b97ca3bcbe6c80dff8784a9c8811455ac2e4ae0a8880610aefd6e2fc8f33f38

SHA512
fa620324e73d4624ca268f630a0fe2aae401d856b1515aa6e7b6b289928198f4349defa3cd8b7eaeaebe3ccca647bfe455618b33774a3608321b3479181fe54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMUk.exe

Filesize
437KB

MD5
850f878702eeeb53ea0563c7e90e3879

SHA1
c55d63f110923ccd76b6469210ce00e33d0e0853

SHA256
86c2558d73cafb45c1a5304596b1527069196e710fff0e027665fdd9690648eb

SHA512
1b3e64b562ae96561a0d4c0150002ee899f3f9afb9f27b6df97928dc0e39945642c2d5c4e9370a2e8f1eea59da9e2623bdf14f741cfb9068477c5c592ecf9368

Download Submit
C:\Users\Admin\AppData\Local\Temp\qokg.exe

Filesize
439KB

MD5
e9424b9ed1ffa65ec7e8e56e585379f4

SHA1
a5c909a7c62b4490c58c9be01e1c5a42d1df659a

SHA256
882c15bbcdd16f6b4cfc7ed6ee170925bf53ef5dc592ae1de47522d09024689b

SHA512
e0d672e3635813ed3f7f3219b2c941a9b46b6e18f4931f993e52f8ec3a4c3a0e36208d3f9e17bd6d73869b131b430037afb20f940cfb28a2b7fc80a6a1756785

Download Submit
C:\Users\Admin\AppData\Local\Temp\qskG.exe

Filesize
874KB

MD5
079e52f94337336a188297ea1bea68c0

SHA1
04e0d7a18add3f89412f4243f938ccdbbb7278b8

SHA256
de682d1f1412c1fdbd0e9b9ce7c598e254dd99f7f9ba7dd8f6cbcaf8d4a17398

SHA512
26260ddcdbcbe124813e4250c508bf76b49d434aae983975ae6ca1955edf85d3cebad1b6aeba66a572c69973e774c491b22da38a28870927c1252fb28fd0414e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skAe.exe

Filesize
443KB

MD5
4f050c922dbc7f6ae2703871332740c2

SHA1
77284f1bc87f179dac99f6ad8a4d350241832551

SHA256
86e070fc1713b403dd5ab9401a57122aa13a87178b4375935a7075addde19ddc

SHA512
3b11d288f4b5cc7f90d82acbe41b590cef64b1df11d8499a0b642fbda976a9256044915b8cf5b33d06df69517350ab8b899c5dc1a4bdd602f5caacbcc80eb72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwgk.exe

Filesize
441KB

MD5
953962cfc68284438e07ebc71d431906

SHA1
573c6f08c759292b742b3c94bdd80fd3a15357f1

SHA256
d45f5b9cb9ec3cad302f97d125ea49f8b445663edd91b90efa7dae9a89b7ac94

SHA512
67cf2088ade47a733353dbc80d5db1ee5e10aaa26ac92d80d9f429dd34eb2dce93fc0217d7662c507260073441a7ba81333f7d5ca9bd68ee1edeac46c4868682

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwsw.exe

Filesize
441KB

MD5
20e9c5d94e55552289d492f860fc6eca

SHA1
1a06271399077be558e1a4547eafca03c03e5b09

SHA256
937288f5a8dba26f1c1670df6ba3afb474986a361ce83621afe02620c615594a

SHA512
dad499544b281db7adcb2d69e75e8b779beb1bb8a7b4ca948c2038da4c837fee2e51ab15ce7a522c2378d89f2cab4c80126fe022f19fbb5020f1cec0135a18db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMYu.exe

Filesize
877KB

MD5
68ad9cbed54379793c977672645d3298

SHA1
648f4966147b953cc8011503bea1a0efae8144fc

SHA256
bd1480262ca8cb2dfcf78aa856fb2e6aa86a17119439dc20c330693df4bcefb9

SHA512
1de2a51a86bff3abaa5191bc8cfdebe06880bae660e06660a4d29aa4b6ef57538da0da2c1f5d74ecb232b5715d50364a3f33c0d2f7d261028fcb1384271f273f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQEs.exe

Filesize
887KB

MD5
e9c0e1af02a57cd31c36b057907664c7

SHA1
7ae6872c09d36d954d7e29fce1168015e83c7894

SHA256
8cfad23633541ae350836142a27539f418baff336ba034579ea1d7675f7811a4

SHA512
90a87458ed57c9e2c1314910ee15fbb5b199e7f72c4c71a9cb965efa2a7f347fa5a6aa3294c13b4a97a3070b1b945fe58ba15bfddad33b16496c307761317b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgE.exe

Filesize
885KB

MD5
de214307462859e9e0c59cf58a2b0f31

SHA1
2d5cb01347cdc5e5c1e55b69249bba3c513b4305

SHA256
dc1ff36ecf7487194c67b34f2ff4746698b54df8652ee50f517db23de1e5153e

SHA512
eb225e1dbc5e0cdd976e4b33e73ddab30070929da360761a27c95f07b533f249918cda3d92823db84b7e2f1e7beb77c28d774eb870f152e808de89054d8d34c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysUE.exe

Filesize
472KB

MD5
d33f253d6e9b80d5b362e7e6fc0625d0

SHA1
0deb5651bb75765bbcd968f0c719ffd2fa3a30b0

SHA256
1ebdf0fa7782ed8a81cf59b5f43f8a184150e52b76e47d857aa1f90abb7bd498

SHA512
b2ef9a4190f8687fe2acb0da6014fbe57e22e1cc20a89baf19210f1d88c632b98aa304e0d894366b7acf26aacbddcaf090d0c1ea83c7eb77fc1226f54c804fb0

Download Submit
C:\Users\Admin\IaMsckYc\XyMUAoks.exe

Filesize
435KB

MD5
20ef0bb9d726158833b0264db999e913

SHA1
f1baea57358806549533f3ec45985dfd265bec5a

SHA256
4ca331443785f9d66ef251e8cc6a21c6ec449a9d33beb2283e45180e2f6245f0

SHA512
abbb7bdfe6b17af11d44d4ae7d0e081d128da44120c6007467fe90a9809792899c1674f128ac6f796c558f8b9c7ab10f53060b18624d64a7b21935c5e4b46313

Download Submit
memory/1392-683-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1392-755-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1460-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1460-126-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1936-154-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2024-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2024-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2260-440-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2260-515-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2272-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2272-179-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2508-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2508-267-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2584-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2584-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2780-53-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2780-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2876-111-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2876-8-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3132-594-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3132-501-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3172-204-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3172-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3292-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3292-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3584-209-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3584-187-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3740-217-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3740-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3924-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3924-257-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3964-49-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3964-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3968-201-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3968-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3968-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4008-315-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4008-435-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4116-129-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4116-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4160-104-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4160-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4256-746-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4260-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4260-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4564-163-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4564-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4784-343-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4784-273-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4788-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4788-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4788-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4788-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4908-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4908-100-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-130-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-699-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4952-590-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4976-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4976-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download