2db07ea0380b01591b156717d1d672e1fb635b2912ba4a31458cf129b084c2c9

Analysis

max time kernel
3s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36311db92ba16f0f027923ae8e2986d9.exe
Size

484KB
MD5

36311db92ba16f0f027923ae8e2986d9
SHA1

1035038cd6a11fd88bf911cee28dbfc893e15420
SHA256

2db07ea0380b01591b156717d1d672e1fb635b2912ba4a31458cf129b084c2c9
SHA512

7a1e9a6d15376169f3fa8fbac8567e917cd8d11b5d8383b747357a5df5b7ae5d0dcde7b5a4469b07326264375d96c4cb77628d4383d23aaf2b33a2f4feede16b
SSDEEP

6144:il134tl8FukzDmBS+t/qRvtH9ySShKEHYjQiWOeHP/8AMlqCeM4DYnbZj6bADj49:G4t6zV+1MdySvjjIX8AMdbb0cXf

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4428	EoIEIEgs.exe
5116	VcAgAkUE.exe
3736	TaUsYkck.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VcAgAkUE.exe = "C:\\ProgramData\\wEIwwsAg\\VcAgAkUE.exe"	TaUsYkck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VcAgAkUE.exe = "C:\\ProgramData\\wEIwwsAg\\VcAgAkUE.exe"	VcAgAkUE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EoIEIEgs.exe = "C:\\Users\\Admin\\LEkokowA\\EoIEIEgs.exe"	36311db92ba16f0f027923ae8e2986d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VcAgAkUE.exe = "C:\\ProgramData\\wEIwwsAg\\VcAgAkUE.exe"	36311db92ba16f0f027923ae8e2986d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EoIEIEgs.exe = "C:\\Users\\Admin\\LEkokowA\\EoIEIEgs.exe"	EoIEIEgs.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\LEkokowA	TaUsYkck.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\LEkokowA\EoIEIEgs	TaUsYkck.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5032	reg.exe
3220	reg.exe
4032	reg.exe
3144	reg.exe
4560	reg.exe
4812	reg.exe
2880	reg.exe
4008	reg.exe
3332	reg.exe
2996	reg.exe
4464	reg.exe
2904	reg.exe
4656	reg.exe
4660	reg.exe
4516	reg.exe
3832	reg.exe
3360	reg.exe
4476	reg.exe
212	reg.exe
2624	reg.exe
4868	reg.exe
2052	reg.exe
4280	reg.exe
4648	reg.exe
3708	reg.exe
2344	reg.exe
3296	reg.exe
3584	reg.exe
1504	reg.exe
4900	reg.exe
4160	reg.exe
3272	reg.exe
2520	reg.exe
452	reg.exe
3452	reg.exe
4272	reg.exe
2060	reg.exe
4160	reg.exe
4916	reg.exe
4324	reg.exe
3584	reg.exe
4872	reg.exe
3540	reg.exe
4816	reg.exe
4568	reg.exe
4960	reg.exe
1192	reg.exe
3828	reg.exe
4452	reg.exe
4668	reg.exe
2904	reg.exe
4008	reg.exe
1080	reg.exe
2924	reg.exe
5108	reg.exe
3564	reg.exe
2288	reg.exe
2652	reg.exe
856	reg.exe
4008	reg.exe
1564	reg.exe
1192	reg.exe
60	reg.exe
3196	reg.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1256	36311db92ba16f0f027923ae8e2986d9.exe
1256	36311db92ba16f0f027923ae8e2986d9.exe
1256	36311db92ba16f0f027923ae8e2986d9.exe
1256	36311db92ba16f0f027923ae8e2986d9.exe
1740	36311db92ba16f0f027923ae8e2986d9.exe
1740	36311db92ba16f0f027923ae8e2986d9.exe
1740	36311db92ba16f0f027923ae8e2986d9.exe
1740	36311db92ba16f0f027923ae8e2986d9.exe
3704	36311db92ba16f0f027923ae8e2986d9.exe
3704	36311db92ba16f0f027923ae8e2986d9.exe
3704	36311db92ba16f0f027923ae8e2986d9.exe
3704	36311db92ba16f0f027923ae8e2986d9.exe
3720	cmd.exe
3720	cmd.exe
3720	cmd.exe
3720	cmd.exe
4672	36311db92ba16f0f027923ae8e2986d9.exe
4672	36311db92ba16f0f027923ae8e2986d9.exe
4672	36311db92ba16f0f027923ae8e2986d9.exe
4672	36311db92ba16f0f027923ae8e2986d9.exe
3628	36311db92ba16f0f027923ae8e2986d9.exe
3628	36311db92ba16f0f027923ae8e2986d9.exe
3628	36311db92ba16f0f027923ae8e2986d9.exe
3628	36311db92ba16f0f027923ae8e2986d9.exe
4864	36311db92ba16f0f027923ae8e2986d9.exe
4864	36311db92ba16f0f027923ae8e2986d9.exe
4864	36311db92ba16f0f027923ae8e2986d9.exe
4864	36311db92ba16f0f027923ae8e2986d9.exe
3636	Conhost.exe
3636	Conhost.exe
3636	Conhost.exe
3636	Conhost.exe
4488	Conhost.exe
4488	Conhost.exe
4488	Conhost.exe
4488	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 4428	1256	36311db92ba16f0f027923ae8e2986d9.exe	91
PID 1256 wrote to memory of 4428	1256	36311db92ba16f0f027923ae8e2986d9.exe	91
PID 1256 wrote to memory of 4428	1256	36311db92ba16f0f027923ae8e2986d9.exe	91
PID 1256 wrote to memory of 5116	1256	36311db92ba16f0f027923ae8e2986d9.exe	1225
PID 1256 wrote to memory of 5116	1256	36311db92ba16f0f027923ae8e2986d9.exe	1225
PID 1256 wrote to memory of 5116	1256	36311db92ba16f0f027923ae8e2986d9.exe	1225
PID 1256 wrote to memory of 4376	1256	36311db92ba16f0f027923ae8e2986d9.exe	1015
PID 1256 wrote to memory of 4376	1256	36311db92ba16f0f027923ae8e2986d9.exe	1015
PID 1256 wrote to memory of 4376	1256	36311db92ba16f0f027923ae8e2986d9.exe	1015
PID 4376 wrote to memory of 1740	4376	Conhost.exe	1223
PID 4376 wrote to memory of 1740	4376	Conhost.exe	1223
PID 4376 wrote to memory of 1740	4376	Conhost.exe	1223
PID 1256 wrote to memory of 2176	1256	36311db92ba16f0f027923ae8e2986d9.exe	1222
PID 1256 wrote to memory of 2176	1256	36311db92ba16f0f027923ae8e2986d9.exe	1222
PID 1256 wrote to memory of 2176	1256	36311db92ba16f0f027923ae8e2986d9.exe	1222
PID 1256 wrote to memory of 4008	1256	36311db92ba16f0f027923ae8e2986d9.exe	1221
PID 1256 wrote to memory of 4008	1256	36311db92ba16f0f027923ae8e2986d9.exe	1221
PID 1256 wrote to memory of 4008	1256	36311db92ba16f0f027923ae8e2986d9.exe	1221
PID 1256 wrote to memory of 2592	1256	36311db92ba16f0f027923ae8e2986d9.exe	513
PID 1256 wrote to memory of 2592	1256	36311db92ba16f0f027923ae8e2986d9.exe	513
PID 1256 wrote to memory of 2592	1256	36311db92ba16f0f027923ae8e2986d9.exe	513
PID 1740 wrote to memory of 2232	1740	36311db92ba16f0f027923ae8e2986d9.exe	1220
PID 1740 wrote to memory of 2232	1740	36311db92ba16f0f027923ae8e2986d9.exe	1220
PID 1740 wrote to memory of 2232	1740	36311db92ba16f0f027923ae8e2986d9.exe	1220
PID 2232 wrote to memory of 3704	2232	cmd.exe	1219
PID 2232 wrote to memory of 3704	2232	cmd.exe	1219
PID 2232 wrote to memory of 3704	2232	cmd.exe	1219
PID 1740 wrote to memory of 4664	1740	36311db92ba16f0f027923ae8e2986d9.exe	1218
PID 1740 wrote to memory of 4664	1740	36311db92ba16f0f027923ae8e2986d9.exe	1218
PID 1740 wrote to memory of 4664	1740	36311db92ba16f0f027923ae8e2986d9.exe	1218
PID 1740 wrote to memory of 4448	1740	36311db92ba16f0f027923ae8e2986d9.exe	1217
PID 1740 wrote to memory of 4448	1740	36311db92ba16f0f027923ae8e2986d9.exe	1217
PID 1740 wrote to memory of 4448	1740	36311db92ba16f0f027923ae8e2986d9.exe	1217
PID 1740 wrote to memory of 2060	1740	36311db92ba16f0f027923ae8e2986d9.exe	1216
PID 1740 wrote to memory of 2060	1740	36311db92ba16f0f027923ae8e2986d9.exe	1216
PID 1740 wrote to memory of 2060	1740	36311db92ba16f0f027923ae8e2986d9.exe	1216
PID 1740 wrote to memory of 3516	1740	36311db92ba16f0f027923ae8e2986d9.exe	1215
PID 1740 wrote to memory of 3516	1740	36311db92ba16f0f027923ae8e2986d9.exe	1215
PID 1740 wrote to memory of 3516	1740	36311db92ba16f0f027923ae8e2986d9.exe	1215
PID 3516 wrote to memory of 4888	3516	cmd.exe	1077
PID 3516 wrote to memory of 4888	3516	cmd.exe	1077
PID 3516 wrote to memory of 4888	3516	cmd.exe	1077
PID 3704 wrote to memory of 1696	3704	36311db92ba16f0f027923ae8e2986d9.exe	1211
PID 3704 wrote to memory of 1696	3704	36311db92ba16f0f027923ae8e2986d9.exe	1211
PID 3704 wrote to memory of 1696	3704	36311db92ba16f0f027923ae8e2986d9.exe	1211
PID 1696 wrote to memory of 3720	1696	cmd.exe	666
PID 1696 wrote to memory of 3720	1696	cmd.exe	666
PID 1696 wrote to memory of 3720	1696	cmd.exe	666
PID 3704 wrote to memory of 3700	3704	36311db92ba16f0f027923ae8e2986d9.exe	1209
PID 3704 wrote to memory of 3700	3704	36311db92ba16f0f027923ae8e2986d9.exe	1209
PID 3704 wrote to memory of 3700	3704	36311db92ba16f0f027923ae8e2986d9.exe	1209
PID 3704 wrote to memory of 408	3704	36311db92ba16f0f027923ae8e2986d9.exe	1208
PID 3704 wrote to memory of 408	3704	36311db92ba16f0f027923ae8e2986d9.exe	1208
PID 3704 wrote to memory of 408	3704	36311db92ba16f0f027923ae8e2986d9.exe	1208
PID 3704 wrote to memory of 1460	3704	36311db92ba16f0f027923ae8e2986d9.exe	1207
PID 3704 wrote to memory of 1460	3704	36311db92ba16f0f027923ae8e2986d9.exe	1207
PID 3704 wrote to memory of 1460	3704	36311db92ba16f0f027923ae8e2986d9.exe	1207
PID 3704 wrote to memory of 3180	3704	36311db92ba16f0f027923ae8e2986d9.exe	1227
PID 3704 wrote to memory of 3180	3704	36311db92ba16f0f027923ae8e2986d9.exe	1227
PID 3704 wrote to memory of 3180	3704	36311db92ba16f0f027923ae8e2986d9.exe	1227
PID 3180 wrote to memory of 4444	3180	backgroundTaskHost.exe	1202
PID 3180 wrote to memory of 4444	3180	backgroundTaskHost.exe	1202
PID 3180 wrote to memory of 4444	3180	backgroundTaskHost.exe	1202
PID 3720 wrote to memory of 4788	3720	cmd.exe	1201

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
"C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\LEkokowA\EoIEIEgs.exe
  "C:\Users\Admin\LEkokowA\EoIEIEgs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:4376
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGAgYAYY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyQMAogw.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:856
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2968

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1232
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksMsgwEg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3160
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yowskskY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2176
- - C:\ProgramData\wEIwwsAg\VcAgAkUE.exe
    "C:\ProgramData\wEIwwsAg\VcAgAkUE.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2996
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2052

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3708
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYoYMIsc.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4416
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:4420
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:4180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
        
        C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
        5⤵
        
        PID:2364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
        6⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
        
        C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
        7⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
        8⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
        
        C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
        9⤵
        
        PID:4160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reAkMswI.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
      C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
      4⤵
      PID:3728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fawcwEAs.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:4816
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4476
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:232
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2852
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:3788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
        
        C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
        5⤵
        
        PID:3472
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2228

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2228

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMgYQMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1504
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIUwYAks.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwMUIYgg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4272
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2432
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAEkYwY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQoogAYU.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
        5⤵
        
        PID:4864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3852
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
        5⤵
        
        PID:1612
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqcsUkos.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:3852
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAgQsEgc.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:1544
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3180
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5004
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:1776
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:4160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQogIsoY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:1224
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4816
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tegYwYsY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:3520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:624

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3332

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieYcwUQA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuAUQwow.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
        5⤵
        
        PID:212
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:5032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEoYkckQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
        6⤵
        
        PID:4960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1192
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:4456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOMwoMYg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
        6⤵
        
        PID:2948
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4192
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4896
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
        5⤵
        
        PID:736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3852
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1760

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2668
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:5076
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSYYEogs.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuQEMEMw.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:3844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3284
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2896

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1688
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2404

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcUIMMAI.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:1936
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EacYsswY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:4272
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3032

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WksccgQw.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biUEokAE.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkwMkAEw.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3708
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:3832
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqQEQocg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
      C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:772
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zesYUAkA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3452
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:4664

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIwosokE.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:2792
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4976

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGMAgQkU.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:5000
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3272
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1192

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMEEsoIc.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcgIAkwE.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2696
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
        
        C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:1840
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1480
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2956
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImEYYYsA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3332
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
      C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
      4⤵
      PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYEoMsgM.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:4884
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUswggIw.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqkYscwk.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:2996
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYgIwIkA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:1440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYUEcIs.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:5076
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4276
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3532
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:1384

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keYIgoAo.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:4568
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4764

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOoEIYUk.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:1416
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkIUUkUs.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSIkwAwA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4308
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2000
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:3516
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hukYQwMg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muUUMgIw.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmAUgwAk.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vowMAwAM.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCAkIIoU.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:1384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSgQcwIw.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:3480
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4344
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
      C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loIkcEYM.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4436
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:976

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoAgQsYI.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAUIwMUs.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kisEIgwI.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:60
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3284
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYcIscIk.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:528
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:60
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swUwsgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4864
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAMUIggg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:3160
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYwcYQks.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:920
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:2520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcQEEYgo.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkQccMMY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWAIcoow.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osgoMYsY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcgcUIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQscIcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqMQEgUE.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4864
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqQoUMco.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woMwkQQU.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:4560
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:932
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
        5⤵
        
        PID:4488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
        6⤵
        
        PID:4464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaAUIsAY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4160
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
      4⤵
      PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\posEEkUA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:3160
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEMcsIkA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:3196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiwsAggk.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcYksMEs.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaQYMoMg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:3276
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1760
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2288
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moUEkoMM.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4444
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEoEEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqUUgcoI.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:512
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4660
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3144
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSQwEMYc.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4416
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqgEkUcU.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jigIscYk.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
    C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
    3⤵
    PID:4648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAAUYEcA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:768
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:5108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:1800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:3148

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2232
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGkYkMIU.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:2880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3180
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoAkUwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuAQQsoA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1080
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
    3⤵
    PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:1232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4220
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1064

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQkAggkY.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:3924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1472
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4788
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQEwQQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
  C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:4568
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwUEIQcA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3160
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwgcIQEA.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4448
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkIEQQwM.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3360
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2948
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2052

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQQYYQAI.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWQwEEYo.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
  2⤵
  PID:2060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
  2⤵
  PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaoQMsYo.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkcUEoAs.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3828

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySkQogUc.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMkwYAcg.bat" "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9.exe""
1⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\ProgramData\zcYwsAoU\TaUsYkck.exe
C:\ProgramData\zcYwsAoU\TaUsYkck.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3736

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of WriteProcessMemory
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wEIwwsAg\VcAgAkUE.exe

Filesize
431KB

MD5
1c8ce6f791d8233e8bd9b270ea705d89

SHA1
f78b7f74ed4fa2b14bb386908e9382eea5556612

SHA256
3b73435661ee689a00fb1dfcdc322bc9f4800b355478410192d5048f1c0d2e09

SHA512
963d55265aaac659c4284dad6bce9c3ffd62cf6a05a58cef9c79c0a0ae97b9c59156392066e63ae226e91a5eeafccebd2af18d914c75299a63801266bde473f7

Download Submit
C:\ProgramData\zcYwsAoU\TaUsYkck.exe

Filesize
436KB

MD5
b3c708d3df9632ee263e5fc4cc2c1e8f

SHA1
492ede3562ab45821de04a3726b3c69c21647a27

SHA256
0ddf4095745e437eedebca633517ed99bbb4b64b73b9e633f3764686b273a178

SHA512
9c22af6f36a662333807a2f14fb34f1576efd60d4eea1970cf536fa13f6fb2999135c7b78f9e3c2d51f229e55e8cddbcfe693cefaa32a8c56ad29af04396dfbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
436KB

MD5
ec045527551290ff1a06db623bc529e6

SHA1
68d61b404950c02f36830f7b7f724ee086c04bd8

SHA256
0b5c6697791857680c7419adf0239672584f4fd21703c5bf7ed37337d1ff865e

SHA512
d595876b768bef71a58c08a8f24087e5cee2fcb6e1b2cb0e7b7e0372f8bf9ca987aef625481f0b12734e10b84476cae43f33d5a16ce3bbc6882103598e3c08c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
437KB

MD5
1c9a5e9b74cb7fcab54c0c8ed25ea9f9

SHA1
7ea3019bf37466c2555caa7341199d4a6043e008

SHA256
3e2b32fa285663c116bedc5ec7616ee7b9f13da033c83bf49923391133d88fc5

SHA512
7a722eb613650e1651288b0aa672b139e8d33b858689005b9f8a74ae2b39c20e994cc190d6f34e88a0e23545bb94fd67b68f4cdfde5c64b8a215936cc3e61cd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
440KB

MD5
1d44624bbbe83dd1db20fcba98e8bafb

SHA1
c66d6dca653ed1ff435d0b622d403eda32a5c033

SHA256
ad6b94f4e983d725d714dde2106c143e093331d69b140a566536c1ec6b7064d1

SHA512
f97d92d9fec26a0320a565afb78617cc8b569af75a340ca0949f42837434d2c9049d14b6441371216e8a2cdf182533dc8e15cb4aec9321ef8ee508523f3c9203

Download Submit
C:\Users\Admin\AppData\Local\Temp\36311db92ba16f0f027923ae8e2986d9

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYQ.exe

Filesize
439KB

MD5
d694ad462e3232cab80956f218a93a4e

SHA1
a743754ae37c708199bc8468659e0bb37051f975

SHA256
33cf2fa55234ac191e2ba689d70a17e54161256654af46a162fa11f157983f37

SHA512
5b5db312c713c12d07460fc1dc4d1580d52ecaa69694ee59f27c09487c181d96898c954473841135bf87271263b6ca0f434e06e041ea540964b31ff7e3f14620

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgQC.exe

Filesize
434KB

MD5
9b52d7a49acb6438e60d604509697aab

SHA1
576ccd590b519135bef96ea6bd9fdff597aa63eb

SHA256
8c82b7348058897c864aa8c286cc9a63a80fdaa1678151801f1db65859909313

SHA512
0fe4c94ae2ad3fcf6c71b29664dbfb4b9e9109b2542ffd25ec2b3f08842b5397f3f851d3f9cdbe5eec17b128eb68dd7438e0bc97740ed8a3676fe947c408c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckws.exe

Filesize
444KB

MD5
b90e9f18457685ba7901baaa9ff16d94

SHA1
e31e1ad2e328c901512d5b47f306b449bc8bed50

SHA256
81db3694bca4f70c5ff31aad8738c43b20756bdeb07eea8c6760903ca63d85c6

SHA512
f0aed4ed745fe344960503be2a6f4678466d213cd468782c88aa405222ce8b36e059606dbc3ebe244d1ba73def9017a252348c0d2d1c41490bece0cf75e34818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekwo.exe

Filesize
669KB

MD5
14a2f27eda7eb719152f477fe6c3d404

SHA1
1f823477956b3dba6d5c964bd481411c600c2167

SHA256
78487a7f1465e7cf0db9382560b09116fba5cb9d344369db90f147633855307f

SHA512
b17526f319d112490f6fd3c1774ada95eeb7a02bb50f8db03b7b70ae5dc47fd142bab7ec904b28829b46d0a5fc4908af6b4c39679393f0af32ed42bb6e082633

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUq.exe

Filesize
454KB

MD5
41cf59ae7372108f116b75778eadd57b

SHA1
e504821632aee7e7d2a5115ec4ea61f9a756762f

SHA256
1471451ec8d42bccfeffa5aa2a71128f80be0243ccb2946fd5f27b68ee3e3146

SHA512
811199d37b92a9ad08944dbe2d8af0f2f2c4016b5c9209e7766326bcc0a4ffa67faa58eddd5515166f42058894707e7dbaec1a65234cd40aa8cd93fbd482788a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgAm.exe

Filesize
438KB

MD5
5a5a7ee697a36ff89ff72adacdd6b937

SHA1
bbd4d2ee50ebf8db4f7807e6728b55012c675812

SHA256
5c8eb0e91db4d6b7af9915dde9d873c213fc66f9ba38e394b714529019bd1c76

SHA512
9069b76350f6040933acf333305f57199ca15ea375d57e4061b850c328d50776afcd31df86d0d0590d8b46016ae0b59666d2a77a5fac02ede09a51331955fcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkIy.exe

Filesize
439KB

MD5
5fbb88413a61060cab4b8fd23a2efbbd

SHA1
f578dc68c73be2311c341648bef5b3c520f6330d

SHA256
1e02bb0438d6303071e74a45af31834fa031c4d4c90ee6890881a19039f32979

SHA512
d271d7a034c8f15c0912bf8f630ca70d032923251e8351fe563efc68d441d001cc10efc99d178e54488464f60b2bbfb0379ff6e094c88948936d25437fb8ab59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwQu.exe

Filesize
1.0MB

MD5
9871c5e42e709ee64019564009fed77d

SHA1
497e25bf8664c4f75a6c893ec5ec0f4a418245a3

SHA256
6dcfca9b67499da83fd54ac39360dd0aff85c9058d12831d5519be0612363d3d

SHA512
b87f63b6b66fee25b573e7898a684a832d895de25db26909bb69ef94d486f3a22903257d4e27607b9b68311a7c5add3eca61ef7da51b6daecc0f0df187629507

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQQU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQwu.exe

Filesize
439KB

MD5
e42329e4c634480ba8eac8ef05374f8a

SHA1
084b0608f0e18de51620dca6af604e13ac15c0a8

SHA256
8256e645ed4ff12c2bcc1f40538cc8fc2d8eeab382eeb809e19f828cf2d9375f

SHA512
316daab6c644912687a36bf7ff9f4706adb9ea1236ccf324ec43d341f8142fc3c2b28a68d2126126ea28792b59fbcfa9324e4e411e59c7e3581b92e0aae6fce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgM.exe

Filesize
438KB

MD5
61eee8d366378746e92b0989c7423a2f

SHA1
de475b277dcc4a7dd9b38724d9197a2f0163d9a2

SHA256
5f68c0adf0f3dbf54dc49459227a967bba6796f1b2363624ce4254eeff2739f4

SHA512
fe349ffb4dbc3e6e2d9a102b51653ebd925be893bd5f3d69607cc329acc08d07402297032b321ec09b3456e78a5bd02588bea8c477f35bee010ebf49a85a6346

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYIK.exe

Filesize
440KB

MD5
118cd5e4c05bbac1fe265483a8ae98b3

SHA1
98e61b49753e45c27941386a7c7a1c966b15bd7d

SHA256
8770fe1b311866a2ecec0e999494f750e1e9e0f71f7eb6de220eda1be6d4d3f3

SHA512
d07e0811fc8c812b2d9017473b26a8ccba8b12abcd49ac2a44176ce6331355f5f11ef297e797d31795bdd8185631ae50e80c45a02d9acf7f1a7512c2d79ce34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsYC.exe

Filesize
5.5MB

MD5
d641c19a8e046513f8e7728150e8df36

SHA1
729cbbda7fdad28234a1a86ace8db0a3fa8a7b38

SHA256
b2273802c320d847c505ffcc975e19702c010b6bc2eee40c7655a12950f9867d

SHA512
8375b7b65972cd03e7cc066ad1eae234b3ee5c8f1633282033e2ffa71de5d0e07293466265856d89a2bef1280d48b9f24779f7725c3e43c1f7be666f50fd769f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkIEQQwM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMUy.exe

Filesize
439KB

MD5
6d89355710a777ef73f8bd464d1db857

SHA1
62c219ed369098ccd2e488f46108dc0167c63a46

SHA256
09ce2360180cb6980955656f8a5fe6388ac04b00014d64b937f49f5dc32fecb9

SHA512
cc28b72e94c1bbb1483b700cf04b7b57371b3e6e230fee43e3f310fef10ebc6a1c6fa98642655008af44cd43940cc775d66e225cb26a23e195fe39765d5d0d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoYQ.exe

Filesize
436KB

MD5
bd7a3d1da37db2a6735ad20c9cc9dcd9

SHA1
bb704fe0098d94d2b616995dea4f54a2defb2de7

SHA256
e16559bd3e3094bb1a39a02d4dd42c8254b7cd0e0f6ea1be36cf8098a2341a87

SHA512
20ef9e01bd4520b089812f7c3094cf951d24626e64604c04a0520430ae2a90c15e7af8897ad0b5b91573a0406d2051e422f1ab9125bea1b1702a836bdc6b26dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAkw.exe

Filesize
480KB

MD5
efc2c5804627f4b20944261b29072b21

SHA1
0acadf79acfd7d6757a34821951c9d9f372d64ba

SHA256
cc1212a24123d9cdac5c6d5465d7b9fc7b5bd7c74f9e91afb69b460c9af3b139

SHA512
4ce937b8ad8768646dc40572eae53e9b81d3ea1194855d5167939f522bd284087de85e5a04c92dd0b60606a2f641c14b64f5c578591abf60657f03cfe6bacca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsMe.exe

Filesize
811KB

MD5
98eaf7383875964a62f261a8e7ace1d9

SHA1
3a72750436d940cb0c73ff827b8420738cebed89

SHA256
828e860de2e275d0537bb91e8ad2166b92ec2985028f528ca2fb22cd2ee8f311

SHA512
91908320ce1e246112aad80b69a3cde97522830fd6757d07483166d2eb7b2d567ae0f4c151c1b6e5dd3d65ec4f4a9766e6367b405ddeba024b9018ec98518975

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggW.exe

Filesize
446KB

MD5
602071c472f232c3b7c9b506cd9c8cc0

SHA1
a321f59615d29eb4c0a9bf7bed0bd077eb61af5c

SHA256
48aab56b0b7090d6d46d4eb4b1c803e6153dfb34494a1877e620360a5cb61da2

SHA512
eca24792d979e79943d76725f9ec7b7a69927ab6a9b4d82133f3ebe8c390d33151c57a0d1d2bc7ad136d56d014fab56c30acc1f941d0ace19dbd75e59cf77325

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEUS.exe

Filesize
438KB

MD5
e9e45b19cd405f2c08619219bf4154ae

SHA1
1d79a73a212769ba3d06be7761ed8adcbb26c962

SHA256
7a95b9a10f3a56e39bc58127b4824e5ea9b8e334d213b26278276595f0ae2fd2

SHA512
fcebb76983841283483cefdf90d578749a8788f84e18d3d1670c1ca086de6f164506f040dbdaa351024663847763bf0770951203536dcaaebae55af52c9c859e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEsA.exe

Filesize
441KB

MD5
1b0b4b510cbbbc87ad16be9a2f6303b3

SHA1
ebe84d2f25cee15278145771270e81f8e6730ad2

SHA256
24970c081dad6515ae8d2fb7387e6a436b2249d31474f0376c1d342599a1d2db

SHA512
cb40abd98688783da81c112b4ca047f323b06531cf3f74071948bb8c04a0699177b2759bff97b09ae2bf6cbf945d4488ff2149bf218c360d0430038700208fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcYu.exe

Filesize
439KB

MD5
34251ba4d28323e6913fe9b134f53b51

SHA1
1acd2d0e1627f57f2aa4cef190947f7e3f89ebce

SHA256
57055099d75eac88d53b4065c574a9e9cd46adeedda5306907deb8e32e638dd9

SHA512
658df3d5d22b536297f5e98aab2b40f5aa0756a9099dd0d4947aebded57daa14c72520ce46b08975a57a94eda339bb287c585820ff62ff706527294807d4e5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUQ.exe

Filesize
436KB

MD5
6ce42000eb4af12c172a44d89dea6be1

SHA1
01939e0d015d9b0305d8942c7c45891ead0a4a45

SHA256
2330986bd59dc1cdc61318e732eb04d07222f2eb8751428f82a7ceb53061a77c

SHA512
6fb7ca2a4c8e817032c3e20e16cd8f974ef52a0c4bf7d2ffdaacbe1285ad221bd42331433912c3b481a3e9f788164da4eac14b03ba78896b031bfd07bc5ee785

Download Submit
C:\Users\Admin\AppData\Local\Temp\igME.exe

Filesize
1.0MB

MD5
676f1aa610a46d2e408bbbd44696fbcb

SHA1
c321062b0f8263cb1f3af30348168206ad13d94e

SHA256
ba55cc765aa8966390fb6ce591958540e019ecc4befe0eb3a2c3173df13bcdd2

SHA512
ffaa2db1ebe5da47eb0e3c168bce1e51688ea8a7bcab9c4642a216e742459b8549c1bc6faaf953cbfe6cc49f9a60b9a8f98d8afd8853532bc91dde6de564b606

Download Submit
C:\Users\Admin\AppData\Local\Temp\kskk.exe

Filesize
887KB

MD5
49d47926d5238a0cd214a5463230c51d

SHA1
942b9a8e6ed840c4b7058414e707fc78f6c31172

SHA256
2a371724f256221b04a333fdfc9ae50ce3a034f6c570bc24aebd5d952d534304

SHA512
b8535f711a4f7fff08bf1de04a0fc0fe905ca4ea81a3d9352dbfed6f09fd0cbf2c88788c1959d37f824db611a16b733e131d0d3e5e01adaa5bfe15d3c24e50ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\msMI.exe

Filesize
463KB

MD5
9e121becabfffe960abcc4ac55026eba

SHA1
19f4dfd2c9e2fb45897394f8476aef8f35efd6de

SHA256
9a296b7bb521b426a0e9298342b2b808eb5cde3692bc738b14b347a77c580a2e

SHA512
5caf05b045b9903f78fffbb8ac7c013c67544f8db2a18085ac4d6b4665c931c965912f0dcf5d62a533a247727e940f274c3031ce34ea84e52f8ef15d6629da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocq.exe

Filesize
439KB

MD5
fecead563744a6f5a7a77d88516ed3b7

SHA1
4eb95f287462724d233e3ad085662d2a7ddf45c4

SHA256
83010d839cf6ee14ca7b0bb41467f5f06b71dfa663059d4c5691d891468593d3

SHA512
944894db002cf8ba558a3c1fcd3622c0be7d89d4dd35dddbf0fa5873a36881a580c2cafaa2009b33758a3d8c6014498ab08d9a17c801475d2eb072999c81d42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcI.exe

Filesize
444KB

MD5
1652867168dea911bf85d4e19e75aaa6

SHA1
1b9bc5984408c9d6a1650feb0169dcbc4900afb3

SHA256
ab3a5df8983a2bca7ae489241ddffbb80743d4ee580907f5b215c437f627fe48

SHA512
3f801886aecb4c57bdcff95dbbedef86935df19badfbd96bcbbd57bacc709c695f222e0464c15a31169d09965d23957a4a6f4de876096c53c313e3fc79baeef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoou.exe

Filesize
462KB

MD5
b52e2605e6eeaaa0200a07d9e028a594

SHA1
1ee6daeac99d452baad446f3fb39cc81e5454970

SHA256
9b609c890e61d99daf65396ab4eae97f07de244c8d6a3de74aab8280df8e78f3

SHA512
d04f599fbbe1f783c9e7bdba41df8ae911c3c81b69483d1cdb30a210c94185e7b885b29129f8a466203cde565819959fee70b0c8828dbddbe15704b23abefe03

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAIu.exe

Filesize
1021KB

MD5
21b67bca092035937e26490382b014df

SHA1
0a04c8bfff0a164e3ea79140c1a36d138f8b07c8

SHA256
df2a25e5eb2e15f4462747f4f0acc9958ac6cd2054ffd8bb12c4b779c6357837

SHA512
b39c7366b231a4e7fb8f239ef529f5f92985eacb57a91bafda63ec27064ffde896ef8faf77399f0723ab39650560d2551130d19b3a3c9ad69aa7e7268b5c69bf

Download Submit
C:\Users\Admin\LEkokowA\EoIEIEgs.exe

Filesize
434KB

MD5
349f715dae90b4a726786a8b99d3532d

SHA1
0979e0f3bfe659362f0da95f15ccd4c5f6d794dc

SHA256
b11b3dde807a9b639f8e6e16718d362b7ec7b61e1e2fb6de7560477ded91e6bd

SHA512
87b8fb2dc720b90f5d731a22acb899ebdc17d81b8194a9d38116167a7cd7f1c28131617fa6fa89633cdfb7ce5a05fa0b8347a689b02ca26923867769c14da437

Download Submit
memory/1232-165-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1232-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-221-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1440-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1440-155-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1472-326-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-31-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1924-253-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1924-267-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1924-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1924-290-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2624-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2624-179-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3628-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3628-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3636-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3636-106-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3684-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3684-245-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3704-27-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3704-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3708-330-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3708-241-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3708-257-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3708-317-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3720-38-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3720-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3736-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3736-126-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3920-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3920-276-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4180-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4180-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4428-100-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4428-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4452-272-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4452-285-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4456-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4456-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-105-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4648-294-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4648-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4656-213-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4656-199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4656-321-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4656-308-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4672-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4672-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4864-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4864-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4876-175-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4876-299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4876-312-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4876-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4888-218-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4888-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4944-203-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4944-190-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5116-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5116-101-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download