5e202263da8838e5ec94d33ed01b0f049b93408907056750c46effa8191e47b2

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bdfe2e2ff422d839e789f0bbde6191b.exe
Size

484KB
MD5

4bdfe2e2ff422d839e789f0bbde6191b
SHA1

0f2b2a5c4746bd977d9a8d0e0769b4cd8200680a
SHA256

5e202263da8838e5ec94d33ed01b0f049b93408907056750c46effa8191e47b2
SHA512

82f0bcc83271466263b98fd958948abfbfc7bd3d65ab6ec7871474aae900e7c73eda5906645d2369cc9d3977b7291c3252b4f3b92521a6b2632554fba24516e4
SSDEEP

12288:Oc4lTefFF2E2vYV/0Qz9FjtutvrhsJfpr:ayFFt2vYV/Dtus1

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 62 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 60 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wmiprvse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4bdfe2e2ff422d839e789f0bbde6191b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\Geo\Nation	cAYggEUU.exe

Executes dropped EXE 3 IoCs

pid	Process
2884	cAYggEUU.exe
2996	tkoAoEow.exe
636	GIkkkcEQ.exe

Loads dropped DLL 22 IoCs

pid	Process
1476	4bdfe2e2ff422d839e789f0bbde6191b.exe
1476	4bdfe2e2ff422d839e789f0bbde6191b.exe
1476	cmd.exe
1476	cmd.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tkoAoEow.exe = "C:\\ProgramData\\xUsgkgIU\\tkoAoEow.exe"	tkoAoEow.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tkoAoEow.exe = "C:\\ProgramData\\xUsgkgIU\\tkoAoEow.exe"	GIkkkcEQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cAYggEUU.exe = "C:\\Users\\Admin\\fWIsowwk\\cAYggEUU.exe"	4bdfe2e2ff422d839e789f0bbde6191b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tkoAoEow.exe = "C:\\ProgramData\\xUsgkgIU\\tkoAoEow.exe"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cAYggEUU.exe = "C:\\Users\\Admin\\fWIsowwk\\cAYggEUU.exe"	cAYggEUU.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4bdfe2e2ff422d839e789f0bbde6191b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4bdfe2e2ff422d839e789f0bbde6191b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fWIsowwk	GIkkkcEQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\fWIsowwk\cAYggEUU	GIkkkcEQ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	cAYggEUU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2528	reg.exe
2980	reg.exe
2560	reg.exe
2628	reg.exe
960	reg.exe
1304	reg.exe
2724	reg.exe
872	reg.exe
2072	reg.exe
1076	reg.exe
2888	reg.exe
1880	reg.exe
2408	reg.exe
2532	reg.exe
1008	reg.exe
2644	reg.exe
3048	reg.exe
1964	reg.exe
1304	reg.exe
2204	reg.exe
2292	reg.exe
580	reg.exe
2440	reg.exe
1296	reg.exe
1888	reg.exe
2088	reg.exe
1912	reg.exe
3028	reg.exe
580	reg.exe
1188	reg.exe
1996	reg.exe
1636	reg.exe
540	reg.exe
1076	reg.exe
2768	reg.exe
1608	reg.exe
2348	reg.exe
872	reg.exe
1856	reg.exe
2328	reg.exe
2340	reg.exe
1656	reg.exe
2504	reg.exe
384	reg.exe
2796	reg.exe
2468	reg.exe
1844	reg.exe
1624	reg.exe
3016	reg.exe
2972	reg.exe
2392	reg.exe
1880	reg.exe
1968	reg.exe
1548	reg.exe
2480	reg.exe
844	reg.exe
1684	reg.exe
2792	reg.exe
2532	reg.exe
1072	reg.exe
964	reg.exe
2952	reg.exe
712	reg.exe
1676	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	4bdfe2e2ff422d839e789f0bbde6191b.exe
1476	4bdfe2e2ff422d839e789f0bbde6191b.exe
2672	4bdfe2e2ff422d839e789f0bbde6191b.exe
2672	4bdfe2e2ff422d839e789f0bbde6191b.exe
2760	4bdfe2e2ff422d839e789f0bbde6191b.exe
2760	4bdfe2e2ff422d839e789f0bbde6191b.exe
944	reg.exe
944	reg.exe
2240	conhost.exe
2240	conhost.exe
2428	4bdfe2e2ff422d839e789f0bbde6191b.exe
2428	4bdfe2e2ff422d839e789f0bbde6191b.exe
1684	reg.exe
1684	reg.exe
2488	4bdfe2e2ff422d839e789f0bbde6191b.exe
2488	4bdfe2e2ff422d839e789f0bbde6191b.exe
2760	4bdfe2e2ff422d839e789f0bbde6191b.exe
2760	4bdfe2e2ff422d839e789f0bbde6191b.exe
776	4bdfe2e2ff422d839e789f0bbde6191b.exe
776	4bdfe2e2ff422d839e789f0bbde6191b.exe
2240	conhost.exe
2240	conhost.exe
2896	4bdfe2e2ff422d839e789f0bbde6191b.exe
2896	4bdfe2e2ff422d839e789f0bbde6191b.exe
2588	4bdfe2e2ff422d839e789f0bbde6191b.exe
2588	4bdfe2e2ff422d839e789f0bbde6191b.exe
900	4bdfe2e2ff422d839e789f0bbde6191b.exe
900	4bdfe2e2ff422d839e789f0bbde6191b.exe
816	cmd.exe
816	cmd.exe
1652	4bdfe2e2ff422d839e789f0bbde6191b.exe
1652	4bdfe2e2ff422d839e789f0bbde6191b.exe
2652	4bdfe2e2ff422d839e789f0bbde6191b.exe
2652	4bdfe2e2ff422d839e789f0bbde6191b.exe
1660	conhost.exe
1660	conhost.exe
2068	conhost.exe
2068	conhost.exe
324	4bdfe2e2ff422d839e789f0bbde6191b.exe
324	4bdfe2e2ff422d839e789f0bbde6191b.exe
1152	4bdfe2e2ff422d839e789f0bbde6191b.exe
1152	4bdfe2e2ff422d839e789f0bbde6191b.exe
2352	conhost.exe
2352	conhost.exe
3020	conhost.exe
3020	conhost.exe
2464	4bdfe2e2ff422d839e789f0bbde6191b.exe
2464	4bdfe2e2ff422d839e789f0bbde6191b.exe
1732	conhost.exe
1732	conhost.exe
1180	4bdfe2e2ff422d839e789f0bbde6191b.exe
1180	4bdfe2e2ff422d839e789f0bbde6191b.exe
1176	4bdfe2e2ff422d839e789f0bbde6191b.exe
1176	4bdfe2e2ff422d839e789f0bbde6191b.exe
1488	conhost.exe
1488	conhost.exe
2176	4bdfe2e2ff422d839e789f0bbde6191b.exe
2176	4bdfe2e2ff422d839e789f0bbde6191b.exe
2776	4bdfe2e2ff422d839e789f0bbde6191b.exe
2776	4bdfe2e2ff422d839e789f0bbde6191b.exe
2840	conhost.exe
2840	conhost.exe
1848	4bdfe2e2ff422d839e789f0bbde6191b.exe
1848	4bdfe2e2ff422d839e789f0bbde6191b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	cAYggEUU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe
2884	cAYggEUU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2884	1476	4bdfe2e2ff422d839e789f0bbde6191b.exe	28
PID 1476 wrote to memory of 2884	1476	4bdfe2e2ff422d839e789f0bbde6191b.exe	28
PID 1476 wrote to memory of 2884	1476	4bdfe2e2ff422d839e789f0bbde6191b.exe	28
PID 1476 wrote to memory of 2884	1476	4bdfe2e2ff422d839e789f0bbde6191b.exe	28
PID 1476 wrote to memory of 2996	1476	cmd.exe	817
PID 1476 wrote to memory of 2996	1476	cmd.exe	817
PID 1476 wrote to memory of 2996	1476	cmd.exe	817
PID 1476 wrote to memory of 2996	1476	cmd.exe	817
PID 1476 wrote to memory of 2608	1476	cmd.exe	816
PID 1476 wrote to memory of 2608	1476	cmd.exe	816
PID 1476 wrote to memory of 2608	1476	cmd.exe	816
PID 1476 wrote to memory of 2608	1476	cmd.exe	816
PID 2608 wrote to memory of 2672	2608	cmd.exe	815
PID 2608 wrote to memory of 2672	2608	cmd.exe	815
PID 2608 wrote to memory of 2672	2608	cmd.exe	815
PID 2608 wrote to memory of 2672	2608	cmd.exe	815
PID 1476 wrote to memory of 2828	1476	cmd.exe	814
PID 1476 wrote to memory of 2828	1476	cmd.exe	814
PID 1476 wrote to memory of 2828	1476	cmd.exe	814
PID 1476 wrote to memory of 2828	1476	cmd.exe	814
PID 1476 wrote to memory of 2624	1476	cmd.exe	813
PID 1476 wrote to memory of 2624	1476	cmd.exe	813
PID 1476 wrote to memory of 2624	1476	cmd.exe	813
PID 1476 wrote to memory of 2624	1476	cmd.exe	813
PID 1476 wrote to memory of 2796	1476	cmd.exe	811
PID 1476 wrote to memory of 2796	1476	cmd.exe	811
PID 1476 wrote to memory of 2796	1476	cmd.exe	811
PID 1476 wrote to memory of 2796	1476	cmd.exe	811
PID 2672 wrote to memory of 2528	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	808
PID 2672 wrote to memory of 2528	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	808
PID 2672 wrote to memory of 2528	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	808
PID 2672 wrote to memory of 2528	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	808
PID 2528 wrote to memory of 2760	2528	cmd.exe	741
PID 2528 wrote to memory of 2760	2528	cmd.exe	741
PID 2528 wrote to memory of 2760	2528	cmd.exe	741
PID 2528 wrote to memory of 2760	2528	cmd.exe	741
PID 2672 wrote to memory of 2928	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	806
PID 2672 wrote to memory of 2928	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	806
PID 2672 wrote to memory of 2928	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	806
PID 2672 wrote to memory of 2928	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	806
PID 2672 wrote to memory of 1920	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	805
PID 2672 wrote to memory of 1920	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	805
PID 2672 wrote to memory of 1920	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	805
PID 2672 wrote to memory of 1920	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	805
PID 2672 wrote to memory of 2408	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	803
PID 2672 wrote to memory of 2408	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	803
PID 2672 wrote to memory of 2408	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	803
PID 2672 wrote to memory of 2408	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	803
PID 2672 wrote to memory of 2784	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	801
PID 2672 wrote to memory of 2784	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	801
PID 2672 wrote to memory of 2784	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	801
PID 2672 wrote to memory of 2784	2672	4bdfe2e2ff422d839e789f0bbde6191b.exe	801
PID 2784 wrote to memory of 1216	2784	cmd.exe	744
PID 2784 wrote to memory of 1216	2784	cmd.exe	744
PID 2784 wrote to memory of 1216	2784	cmd.exe	744
PID 2784 wrote to memory of 1216	2784	cmd.exe	744
PID 2760 wrote to memory of 1796	2760	4bdfe2e2ff422d839e789f0bbde6191b.exe	799
PID 2760 wrote to memory of 1796	2760	4bdfe2e2ff422d839e789f0bbde6191b.exe	799
PID 2760 wrote to memory of 1796	2760	4bdfe2e2ff422d839e789f0bbde6191b.exe	799
PID 2760 wrote to memory of 1796	2760	4bdfe2e2ff422d839e789f0bbde6191b.exe	799
PID 1796 wrote to memory of 944	1796	cmd.exe	573
PID 1796 wrote to memory of 944	1796	cmd.exe	573
PID 1796 wrote to memory of 944	1796	cmd.exe	573
PID 1796 wrote to memory of 944	1796	cmd.exe	573

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4bdfe2e2ff422d839e789f0bbde6191b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4bdfe2e2ff422d839e789f0bbde6191b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
"C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\fWIsowwk\cAYggEUU.exe
  "C:\Users\Admin\fWIsowwk\cAYggEUU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  PID:3032

C:\ProgramData\cOsckYQY\GIkkkcEQ.exe
C:\ProgramData\cOsckYQY\GIkkkcEQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:636

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2760
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1216
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:540
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1836

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWAQAcos.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2696
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSwQccYs.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1528
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:664
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImQoAkMo.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
    3⤵
    PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMosEsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2080
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\megIIMcU.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2988
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1008

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1852
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUQgMsYc.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1216
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2504
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14198086052126469247572497512953287073-1734960680461194592-1878365169-1515962653"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgYcsUIU.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMIgsQwY.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:748
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2852
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2908
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2936

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGwoQMQg.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:1488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XAEYYAIM.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2204
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2940
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lmUkMEkM.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:844
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
    3⤵
    PID:2756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2392

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmgcUYcc.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1948
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2292
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:2960
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\awssYEYo.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2672
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:2600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2040
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2292

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgoQwAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1484
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1740
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1912
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2312

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:3040
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1816
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:600
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
      4⤵
      PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
        
        C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
        5⤵
        
        PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CUEwUYYM.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2328
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOoEksQg.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
      4⤵
      PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
        
        C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
        5⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcAAEYEA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1488
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "277315237-1290692522-4985792511539425405195805942013577160511167711871643038338"
1⤵
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAIQoQck.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1424
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2508
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:776
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMEsYUIg.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcYAgAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2644
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:2928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1788
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEIswIEU.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YUIIwsAE.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2432
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKEoAEQI.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:384
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - UAC bypass
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycwIAEIE.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsUMQwgA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:872
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2484
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKwwQsIY.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1083828877-254558767-714443683111148670-9138064101913517799587530831-1636727203"
1⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKsMcwsA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKIccokM.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\daYsUgwU.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIYAAAMI.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYQQggUE.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:872
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2180
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcQksUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2508
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:1196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-90073744318812052101345738476542098569204830089519424393401545928729714438173"
1⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgQwUUoU.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2076
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1578046813397790640-1373674977-19037731781198211626191536099532469325-934246611"
1⤵
- UAC bypass
PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1558515404-890060436527869914-156780892119656709531855331466-1048073499-2024566471"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OswkUoQE.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2180
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
    C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
    3⤵
    PID:812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1320

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "531855999-1545326619-763447551499224907-237577302-1373110719736909402-1685825654"
1⤵
PID:2040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dMIkYYEs.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqYUsoAA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOYsoIgk.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:1768
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- C:\ProgramData\xUsgkgIU\tkoAoEow.exe
  "C:\ProgramData\xUsgkgIU\tkoAoEow.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1666745068-2050878904-860313576-1251189173-130381144973852251-19986056501601680084"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewIggYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2332
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1668

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20628866191860131218-56732726-495090454-18531247252108157999-7085802411267943439"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-624924671-13052109525474708331437191761753722931-1297096900-523149967-198821295"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIQUoAAg.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2564
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYAoUgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Modifies visibility of file extensions in Explorer
PID:1832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKsQAcEM.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1389178131-8675471216365566511672397352122863783-747222173-1618936006-531708871"
1⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:320
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "956418371-902108470436173612676695329-128111965-1505713856-2063539246-1784248916"
1⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zssAUQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12384144061083600379-2057756362-318204602183317201124680028016104684831778687670"
1⤵
- UAC bypass
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nuogoccs.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUwkwQQA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2408
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "161918496617364340071597120626348109411-3588577618168654631789275415-74222895"
1⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14974539111728005874-422889364-72551126072738685562804876-2830000121292186613"
1⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQoYkIEY.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "238758439708022805-1946165491-2114452394-1961689391658905441-376570378-328969431"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCoIoEok.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "416487741674828920-12779822161864533730483248616467325750-2106968009-1696878898"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10883461311029622298-1517178140969565835-644020476615906936-799797180792019343"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2114005272-539893036-1381085452110263149-1787836691950955184-17989246571713961016"
1⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcgAsMoE.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiIsgcIA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-45717662410062247431829488473-583601206-833586571-871325811-126391888-91355093"
1⤵
- UAC bypass
PID:2584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9769133181479064392-1899559864-501061637-1542392224379925565-1527578979295804648"
1⤵
- UAC bypass
PID:2328

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-799237186-4386767171594980831979185841312831981-4437384341265056961057730709"
1⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWwQwskk.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "49369487315480140521024024971-17372610416200613909494476302047378481627439987"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FeEQggkU.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2768

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKosUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17751317601763853337-3712996731199630915-1103853645-764324801-465953371-34862364"
1⤵
- UAC bypass
PID:2384

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1927020490-1163115760-1682635882-792760901-1976712354739331225-1171766772-678164962"
1⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2061429971-492625551-1303842736896621876481657332593388144-6185218931545205063"
1⤵
- Modifies visibility of file extensions in Explorer
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1652150020347241405894397180686586212-1558646101-81870752-19016530522052621064"
1⤵
PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1711717487581215636372801837-1200045123-12579438791124428635-18371480391237394594"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2412
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15812586881902241430-7004581671558687503-936933038-1886386444-419996464776998944"
1⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKIgQMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2784
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1663952170853293997-193862424616853018924359984121396663521-151035093-840699834"
1⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "477358706-20711087471513428291-1976272481936969966-1167629166-1509473232-1699223771"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-923746948-96180076142346936-8041245601124257568-699048293-11407099211783279457"
1⤵
PID:984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "206108420-2009322180-1558714872-16435555262590664664274987512019341561632205164"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "510053630-366298993-912253399-2011445891-42012435978399149711012975441871485241"
1⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWQgkswo.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "60373147819266275981075002019-636018853-1905845380-751828999-764245297-330533583"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:748
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12354396991588768376-1848557707-1964363966-1897366976-1258881889-17631829941956848000"
1⤵
- UAC bypass
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1819763543-399395868129301471819675768-96352564-19878836662101465537-2068206809"
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1753586917132551760118349470384401946951084777625-2392116931742243690-1975662308"
1⤵
PID:716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18254694401042283063-1108052641-18446249201195482384677131908621713374-569571082"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RSYYUAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1515610729-599073386-1824839789-8513928552692500731151665925-686316619-463281943"
1⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PuMsUggA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CuAcAcQE.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:2272
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:1304
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2348
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "290462443-14293952491841309052-641667141011759313-679523501-627093122-1735946649"
1⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5465145341955045535208733009715909346921444589778-3169711435402612851762659047"
1⤵
- Modifies visibility of file extensions in Explorer
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12514305010184169649875874612104643908-15407957741472668718531344279214833776"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceIccggw.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10299290514664094921871586249-706065211-609975215-1015494851-2108219973281707836"
1⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2711460811681773342-149417824-1859915327-17747081-23854139-19330947881118660254"
1⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCAUkIIw.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2335939316598414581340699317-1880357761-1867016480-1031246378-79394155298822934"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3048

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
PID:816
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:1100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13334380331476548907520298256-1546689035-2111238549917221495-1537385999-1257703115"
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
  C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmEAcIYY.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEQMQYYs.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  PID:1572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1776418025-1219922440147686970012986014664166606381872542192-485377882790047353"
1⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1180296431-12923485271261585286-1591762973-679461146-18785406-203140623858430821"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-614871766706059513-400796460-1771722231-7282985541967828615-1796378613703386795"
1⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMUYIoEc.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "114301682742933729347126627-150503769252649331018285992-68272506125659908"
1⤵
- UAC bypass
PID:2508

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "416916224-1816190598-677329774-446035945-11161387086713704561922087196-1207810308"
1⤵
- UAC bypass
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-131901461-744735614-82430472214494935243712067314324931842129708808968338545"
1⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCwogwgA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1852019454516791123253965-906824180102432549819342337401275589310-909686497"
1⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1160074599-1910080522-1457126876-18436296761661293032-9644212547912330181286621187"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1828549590-573290705-2448384371905486890-608124454-210357596520016238091482505797"
1⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BuEkUEYc.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2086676616-343176157-1641259934-292266548-1810270336-177360120611803533891092018170"
1⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "294487740-1388719967138334359219826381181540814447933454832274336612-1709009546"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12968010171799926453254752219-14820429031296983248-75877898-15797209621198698720"
1⤵
- UAC bypass
PID:2952

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kiQQUgcw.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
  2⤵
  PID:320
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19323478591388642876-2041718661608547809254846894-903704696-32467654172293028"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1486493953-1236941606-5589535261351019228-3981625601459232935-1326847782753735516"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1608720327-376623255175926647623008588410963993-912481216-5518530021712971669"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-392637199-43892473177023179015700701182841284891338148692-609131078-964122140"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-45094927152746443-10453331031239445611-3352022851934512552573662472-227737309"
1⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AigYcUEA.bat" "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe""
1⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1296976690201751000220522798851202257435462525163-1253045131-311321481591364535"
1⤵
- UAC bypass
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "902457217-2087687524-5905924447896030-1487816557-18579739411852109050-687845982"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4126502791896515569-11434237021557631394-1026838122-4301133861052783644547136729"
1⤵
- UAC bypass
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1667416576-1156393491-1521271490-70610513537457881-15367809-443521096-1516473325"
1⤵
- UAC bypass
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1487458134-4636229394980000641215154972-1287365893-7793126474290105301510209536"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2692

C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b.exe
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1926485356-1156588240-1005909050-2098064888259195700-144534479-1322342712-1659861300"
1⤵
PID:488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10332905272053923778-107726800112256505378904730163669465701182244991314927724"
1⤵
PID:600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1099942239184090545-617941413-70018396-1052841023890377925-190556568864817381"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20166786681018468118-1744303617-1879953632-8223601192016374263-1786889757-1066907839"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1356025250-557737379102663033614879492716649284716178213892153712731635830642"
1⤵
PID:1844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20892127901068940102-1482830028153472219206276833618027796668984763-64506352"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-881335526-43794941716695201441012417068-19642624111140733691012796921-1321189881"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1955529714-910491808-11358541751655974425-1766157887-25602254-2028493380-1007446611"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-367640015-1991880333-1546809487-1507379280-169990556-2751637961172139165-646157657"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "650324291-1231471275458506358-569784766-6036052191450096923-23942259-737905994"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-185475968-1759524825-15638164111946790311-500353855-1366018559259303105-220891685"
1⤵
- UAC bypass
PID:2484

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
- UAC bypass
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
92KB

MD5
850c0a411703e19b6552e342821d5c6d

SHA1
a129edfa436977fea5c961345935b097bde54d0d

SHA256
b6ed31f06f504e279a5d8562a98b981b8dad3a3a2c492fa9635a544f4d9d7186

SHA512
e06f127444f3e3bea02c06b38cbdfe4f3857621727e1fed972eba7743f4064c84e7e28e7947a1987d40cf0c82bacc39fe5bc003bf316d1a8d91e71afe04558df

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
205KB

MD5
a81dffb53b1971d679c280e130128df6

SHA1
142b8f8ee410ccee41e1c166f9d9cda5e3946ceb

SHA256
72752c40ed8d41a11deaad6fbe758de3e1f6f3096c5fd791cb5e4eec6ac938f9

SHA512
f519615e2a2c66984d23d1cbf8d0c798b16cd154fec267e3158845940067f9f8a4e400a4ec2cd5095d8007ac00decb3e75d9b63f3eca8a4d8da7f8ffac745cc7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

Filesize
479KB

MD5
4d2d8e428cf79795216d5aef9d29d851

SHA1
3742bd26ba9dba796deb7a51204fdca8ebb9d59c

SHA256
06022e9544e2b82a94526215fa768f105d6a283a145625820b3903c987a2ae27

SHA512
a5e0616a3cb9cc7b9d7450bc7ab1926be498b318a069ebe3eb8f7f07328606db9c19875fb528d57e4a949e21ce6290093dc0fe60c57ad3ba34bc7f89907a5627

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
480KB

MD5
0e9755293441d143e9c2c8482cebce34

SHA1
84a688b7cb0f60c84351c8527888cb7f5439c09d

SHA256
a8538ae2f78485effcf8efbfd6a0344a0af00e4d9be86a01ebe1239f1dc9d355

SHA512
55a101549b4c22de080b70045daca15fe14f616aa5a2ee4a080f85d3fb17f7f199e68f2fc6397d6878be0995f2be49f82b0cc2aef5f76a62e205b119019006d7

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
541KB

MD5
acb48b3ea7c322bc573d64bec93e413a

SHA1
105c9af184fea733dc1b6b6de23ea8faa73e7a48

SHA256
2e80e2b7a46c47e55dc7d455fbf99955a8e189495c9fd01407cddb9b136fdca8

SHA512
2d11230471f36669b57e6292d405ede7d4d5db25a14edfcc6e20e787c594fdad0a7b229ed68a436088e99b6faaa803726400bfba137607ad53c84bead38adf5f

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
92KB

MD5
5f412b34d6bd20fd0bda590389774cf3

SHA1
b5e296dbc95c02fd382615b0a80e844b29812f4e

SHA256
817909ceedf158215d87acc153378ff82def8cbde30a504026dba265bca2e127

SHA512
bd6c6cf272cabf39fd99a516dd8bccc036fc9d4f0bdfc87eceef364317c6672df9ed2ef9f124c93d97e8c1a4046ad334cc1209d61777bc82e9135afa85e0dbeb

Download Submit
C:\ProgramData\cOsckYQY\GIkkkcEQ.exe

Filesize
381KB

MD5
64d2c6e8484c92faacce98d5cba07356

SHA1
595d854543f8bcf4ed032573ee09d8108afdceff

SHA256
e55959c5c730eb17d307dbd7b635d175d5dc9a64a7e5151b4e7229580560c5e1

SHA512
b079c223c06a2af86acb15dd3ca71ce53ab2ac840f44f847bd09f0669bf38a3427586922a6c51bf410bb9298f81a7d0813f0852270aeb7c1d1a88ea8f85ead96

Download Submit
C:\ProgramData\xUsgkgIU\tkoAoEow.exe

Filesize
433KB

MD5
d969e282f185fe7f63df00cab743e204

SHA1
ec04a0d72d52c62a978ad78989ac40def0f21d66

SHA256
62fbc2305e5819cb90116f65c2827a7e653bbe0356b3a92b00ee5cba11cc2ab6

SHA512
9633c40c381c26bd8f638456a7fabf283a963ca89463aa5f081ede88356715c457cd6fef603fec07c46a1a84f7f0ea5b17d51b701df8dfb8d9bb908617a9d8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bdfe2e2ff422d839e789f0bbde6191b

Filesize
48KB

MD5
cc8c03ba8764e73e4b079eb47da8c3f1

SHA1
2259f5c10142ac24613aa47c11550e7af8163846

SHA256
c238df51bf8d9f5d8c36081a83f31c1338cde73d3347b9ba6c7f62892e367a44

SHA512
dbc735c24c7c3d8ed61ea078159952739bec962cf2d893c3ba4f97b7165c98777fb57104bbd1143a308f3adf34b4f66379fb5f5b847a8b6ae1eb2b968e1c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIK.exe

Filesize
345KB

MD5
dc17babab7c1e2c75c96d2bc3ab493e3

SHA1
e134eb4628e5bdd79b0368b869a9ec220d7c5818

SHA256
7339bb72c319485fd5e591fc4e3c0cb2c212f8018c9e2a92e1131e9deea30f41

SHA512
c68a7557c5221e2703b82a6ed7dbc26da4249717d9596ab0218aaee25a048d6ce2ba26ef47ba2d2206cb4df465410043c0a6069f5563407558f026120711df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcsC.exe

Filesize
136KB

MD5
2aca3cae17e156d4372c300dbbd702b1

SHA1
6b22bc9d366f96f5038b31ba6f43d4484b33ab1e

SHA256
8c37cc1ae7e27fa4669b7104f4a664ac936fbdc8170b7a002cd2cdb921c02d3f

SHA512
0dc6583a969254294d8ddbf6e576953da11a386cfa4dd26dac95c0ab0cff4d9c31253ea1bf0b8c79c84747ebc4895489cb0e27b78a1989ed1c2a031b63a0bc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIIMkEUs.bat

Filesize
4B

MD5
35f56ea43c9452641a42e4bcb6825a7a

SHA1
1fd3d8eda39112104adc23c7ee4f00ed256b3144

SHA256
10992dcdffd4f49bfeacb8867bc34c9ce316663474d4c3028ca71a4bbc7a2b2b

SHA512
724b7d17a6da439cf5942a6c50c4a98cb526e61d4a0b055cf238ce34eedef2502fc85cdf759552411f8cde1e759e89c596dc69b8fd0aadfd42427fb724a9fe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\BooYIEAQ.bat

Filesize
4B

MD5
97dfd3b68a5fdc217508a8b82c5a82c2

SHA1
cb57026605854eee2e9942b704128ed5d6cbd491

SHA256
9fb643b2e29ab36fc60e89a3766c8ecfe518dd5e9aa9e5e14a9b526922b74f99

SHA512
799f21003fe99479cf587bf615cce6d9fdc1d1ce21122a961dcce43f6019c3b068982cfcdebe87e690eace2ab635c710652aabc489fcdad68bb6388be15bd49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcAMcMkk.bat

Filesize
4B

MD5
b9449cc65c6ba729d710e8ef80871ce5

SHA1
4c0d78d62371bbab9e42dc80504e6fbac687c0e4

SHA256
37036cda205590b2d105a761c10fb9e7b768d834e84e04f7149b8929e6bd37d5

SHA512
9212997d915c6b66e8f96dd2527a737f7de313d19a4b7cc8788fa062b280ab14914bd4f9c038768a14b661ab7bc7b8fb0dd8c8e0787cd53cb3b8f86eae7d1025

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cooy.exe

Filesize
896KB

MD5
73dc4922a68d72a2475c01ea81ce30e7

SHA1
2ae82b012269aecb97ad886ecf2c73476d59747d

SHA256
24f3e7dec4c091785cb84682a5833fffe06b4453568fd2c01e59b6a2910c3391

SHA512
39373472303d0a91ce5cec54003fcac16b7a8065a3ab3101636ae4dc08e3d33e675d31f847c8924ed7948e6a6e20aeef5488024d4f11ccc3e4f497ee8a305fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwwEQAkw.bat

Filesize
4B

MD5
2124a2e59c9e520655d45719ee9178ac

SHA1
71f162c2ae2e675bf83149be7e95fcea2c1c26a4

SHA256
1c2a14c2421516df2e0944e254480f190b14a1ce5c533537b9f43c5b3e70cb85

SHA512
f2af74f3f00c613f63ebfdb10c699049f0a1983d208eb89d18dd7f25b8b9376a72f0156ba500309d3b8752a05a3beec620160333e17fc716ca2b74038b7ffd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGMcgogk.bat

Filesize
4B

MD5
728ed5189b72789ebec3ea5e71c2bc19

SHA1
5da8af9bcd5e77d581ff433e0245fe6c11ab9bc7

SHA256
73292cb47c16af3f1487388eb84543ca72ef28e6f390c06c652f418d80a253e8

SHA512
d1014166897b2d73e96b6c8c9b1afd646533aae92b9dcd334c186c08f8deafb9f64ee3c60f7b198cac649aa6a76b46f88ce3da06b0943387dcc9cbe4f4f5c6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQoUIIwc.bat

Filesize
4B

MD5
880746f92d275a25a5142d8ce9c8b89a

SHA1
e3ddebfd76090eb9feacab1b96c84dfd9da0c4a1

SHA256
0cf1a0e9e35267d3ab7184da8d389430442fb7b9a91e99d6e24420d5ddeb78bc

SHA512
a3ae5a3a15e880b00596caf43023063c70d9c06fcc49b80763133b3ddf079b558d933f41f44a664927f407a0110ae1825fd2dfeb3523f44381edc5de01a1c6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWkoAcYw.bat

Filesize
4B

MD5
9f4c909e9529a026b49f66a22278bc53

SHA1
0bf501bf4e6d47cce2179d61ee8f58969b546647

SHA256
49c0247adc9861004986415a60b3a4befb1a5a54f93c2cf25f41ef5294263e1f

SHA512
5b9b94bf6004c138e6e2457eaa3af2adb53e5a0e73ff4358a38e41ea4f0415b82b9c331b9e24b89bed8ab04a03606f95e9b503cbb8f467e96b072fb5b256ed54

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoAcYsYc.bat

Filesize
4B

MD5
84c9562af4f14d2e0df796ee889d546d

SHA1
eb86c9215a1dd927161c3682fd41709ee93d7fb9

SHA256
78f4f188c9255ee82d0e78c3f87677bb71376d5f2b6066fd6407d187b31ee3e1

SHA512
e2474817dfc1746f353e05b043bfb785abf7469c7898e281a692fd0f28e11cd396e3cd64ccb59577709c6a69f8761fac9335cf40dc77454374e551a5bd7e8128

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCwYIYkE.bat

Filesize
4B

MD5
1d09c93e53c8599c612909956808253e

SHA1
b4bd4bf8ccde07096693db5262a03f5ee1cbc424

SHA256
5a1fadc566c792c637bba87724f6cfc843f67f16f8b2222e053637ef56cc9c04

SHA512
c7edda43fc1ba2b230f5a87e8d6831f205f211382ffe47178b227fb71e73dbc88e54ece3941b3a1b20c5738858eceec2b316667ed65456bc0a92c192e20c103f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkgAckoo.bat

Filesize
4B

MD5
24da8983a7808267862962d6e19c48f0

SHA1
29738cd143d6a0545de3c8188e5ed2102c2dfa2a

SHA256
55b645d2676aa05b39f3c10c6dc70ef24118e7a38c566be59cfcb6ab6e0c3a14

SHA512
bf8a377f8199159a4ca88adc36d77ac62506b0c4d58d9f174e15461251b5735be337b965495379de3e6d2b9bf80e93c79623b8681f03c2045deb980e1e46d73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GooI.exe

Filesize
485KB

MD5
ce97736836668f56b58eafe9d47e88b3

SHA1
1d9a7ee9b248c3d112734025765b36ef666a6e74

SHA256
0448fc9b52733ccb883bcf65a34ef2ed3f1d4ce7224d91a4db02b0aa8f19bc03

SHA512
525c54343f5810ef3786c79c07246f9f76fe110eb29ce31e6b53708b350e4dd52cc02cf131a705c3a710d183eb7e15dcf1278ec020353b5dd7c31c13c2bb0ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwkI.exe

Filesize
483KB

MD5
c188366b5e0ef4d724569dbf60f3a448

SHA1
036430fc5a937d09aad8ef5356764a2771080a45

SHA256
9f684d940d9474010734a734bf8855ea8d2625ae88dceb42db5090333d926e8d

SHA512
ed4cd5d991682e724737d03519e09681aa241bac29168f12b8bef8848faf55c0c8f4c7677aef84201c72240e0eef68ecb9172d073aed9ef3a58f302fcbdb4989

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSoMcEQs.bat

Filesize
4B

MD5
bf12f9f67ef154956c24678c278243f8

SHA1
6a145f7835d39670f242ca87bfe6075374dfb9f1

SHA256
33e47bcbf936ba1cff7b2611f32b22ce2b35198bede8fc24bbac6bce71061922

SHA512
6faa0607836dac3a15fd74af8c1ff459c4bb44a9b1469b0afaedf83f7b094e7d095142fc9e27bbd3f03823bd5a3775a4bfef991550683c9b416520243960623e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQQk.exe

Filesize
485KB

MD5
0308a42f56398ca1f38b5e55e32eda5a

SHA1
f964ed29ad41389aa4445c9e95d39aed77e245d7

SHA256
09fded3b2288bdfb922f69ba54c19d0dd9f84174fc572b3256be7d019c859886

SHA512
6a5e2608320a2a674dba1cc2cbf25ed1a443e9ff994b99b1482422001e197c9d26349ba4b133b083c1d2fcbf536ea6bbae5a417c01acebbdf9ae0dea4d9a2f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCQUwQww.bat

Filesize
4B

MD5
d1a679fee48174d18966bda3a35acd93

SHA1
ee797ed7c344f3cea3f6fae786512a1343fd44b5

SHA256
83f38334d2b5226ecb21f09feb806d18d6f4112fe6fcd2f062ba138b78f9b720

SHA512
c7d5e309f2b3971ff7208504e6ba599b2cd3fcb4022556515879f39b553cacd6de36b21f58a48d9876eb614e81abae3cca762fad6ddc9809c0f553a8f3ec998e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEog.exe

Filesize
1.4MB

MD5
96c7a8c021f0885a18e2b1dd8931ef19

SHA1
ebce57d1204adcc28bfdbbf2394c123417962ea4

SHA256
8a7857880d6873bbd4b44545b47035064cb6b0ee466dd3a1094af66b5646fd83

SHA512
3feb7e91d89ec0c23a18b50944e8334aa56793de9de78ff820c813f6992e14478985357e6f33b9415e61c58ca2d64be5421359f6dd1643a40537e3090ed84c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQki.exe

Filesize
466KB

MD5
79b286d0381d8a3867220dd645c3bd4b

SHA1
a846f88ff61a0a34b76e1d7f86d327c72225bc84

SHA256
c996b1b2440439cb2c4d02db3217a9ed61cab03db6e8b39da6e8b759f0cda007

SHA512
ae9dbdf2f2cefa8a971378a055156db0b7943f7fa407e0dac4c18b4df44881ed968ae96dce4a074846e1e72bd617751f80b816da2ab41c759dc6f0b7f475e93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgIgUgsI.bat

Filesize
4B

MD5
344b4b2abd9d1b341012118fbc31bf77

SHA1
01a09c98cb9231b90be665784be5b5c25b44a27a

SHA256
172ea0186208bec1409e3643165c9cfb7b406bb38cfa464d6abd331ba38c3b4f

SHA512
56cfebad0fff5fa93488cd3b8fb746b7a213f7398bbfe4edfcaf093c50c655ef9cc1cc3f04e3afbc5656297a2da795c0832c427662be1bba4e6e9adfa9f2a38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIAk.exe

Filesize
482KB

MD5
018bbc52ca51bbab592e50bfc7f45cc6

SHA1
47bf36b5accd6edb871798830ab085ae6246cab3

SHA256
4aa4bf7c11ac20f2b2652fffe427cf9e167d4ba8122ada18dc0a0b7ff662054c

SHA512
282fc51d06e076f8f6dfc55cde2f34eface5837b1355145843af3c6bf5bd534fe96f195b22385a364c7121b6926dfce95dc5ac4c262e1231b8589f310b012a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEEe.exe

Filesize
561KB

MD5
edb5febf589722bf2ee2af0907e73e9d

SHA1
9d51e49fab52ef77da4c3dd3e3999baf6f40cfad

SHA256
1ece77ee3b9fc7dd710892c60a440a866389a73ed418d6fb8cbd234e89f6efda

SHA512
254f6bd2e57ff6a2c83c67ad8283113380b759adb0b71865390f18c9951fc363eed9d13ed49764d21153ac802adbf20060b74a24a6186e4014efba4cfac69b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\OOwkcAEo.bat

Filesize
4B

MD5
3ba3f652c3d6cd5d058d6c02f3af240c

SHA1
7f9ce1f71248b494b0000fad24ca75254da00f72

SHA256
58b6fe631d6ad411d48d5cbf314091b2040519d754392ea8edf2a0f47f340c2c

SHA512
f6cde653ea2c725c03e291e608e74cff43afe71878954be60c1f845831f547e43d4ab68f558d0f96f015795b8c31b84c00dba6802a7c898603a9f45818682808

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMQ.exe

Filesize
788KB

MD5
84759ec36e676fa505f8064b8993188a

SHA1
5227a95bfb294d4966a79fdd77d50accd78750d2

SHA256
b369daf1afa062d30f10f45e4ae83589922de26b127e901089107dfadeff9b2a

SHA512
f1eb2e104a67f1d970f3e6971c6182102298b3aa1738d20a735b81a1e40c7f11440d2008763ae0d6bbbc6951d63bcf517eaa26f11d7022e4f0e8dc984e3bc19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSwccAoQ.bat

Filesize
4B

MD5
7690cc63088b7b4e781af9be2a171d39

SHA1
c4d7a53b9e5a82fbbc80e3e37bd493ea340b79cd

SHA256
5661d95339e66310e72ba12695b0b2a195be00addcff131b30544df7f5551ecf

SHA512
9f4fddfee402d5f3403698694821ec6393ec4dbb9d5ae18953f70335e63bd6911745239a9b4c7a3dc061a6d739dac1dc783a16f1da24b2ac5472c6724463a7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYAMsowE.bat

Filesize
4B

MD5
ba3a82c16788c11c785fe5f00381a241

SHA1
e3f36cb27827e2b17899ec24a55ab54f2767bbe8

SHA256
225052bac9aa7fecf788cc18e9c59815625fc4dd19c64ef0514302019fd4e006

SHA512
bd88772e0096dd0eced9b0243d2ab96784bb161a648055f1f52f9b59c59e311ba114e588a19c93cafd01cb4631ebe9e84a93449d96ea3b771fe2bca36d266d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuMAYMYg.bat

Filesize
4B

MD5
9dc5ec081ba659b73dc1f11889146e4a

SHA1
9413f2cf7430ce9d69f53ce9784a8b68d05a6713

SHA256
76969a57b6a3c39422056b618941381e23f19913bc6800c2ceca6043be34e204

SHA512
b746eca1df013f161d91b68ca47a95eec84aa531b0e5de6b3d9ba1c508fd72fd2fa47863d29e700239dbd2af8835b5a1af3196e3df020fb7e36ff420fd8b1155

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEwO.exe

Filesize
1.3MB

MD5
afae2b349883109f0cc9c76357bfd9aa

SHA1
514ed68c904d6dee97b41387de0b927876ce7eee

SHA256
7d5300010d1eb16a4f2fc2022fa1e22e2af6001cf130b2ffdb04d4f65d609672

SHA512
77d88a59f2ead4c18cceb6140936b8b9f8bad8ecd61c1f05bbb49bbfcc2c9bbd02407bae8de92f3dacef2b5eaf1eaea29a725cb3cd113702986539c68ace5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIEM.exe

Filesize
1.2MB

MD5
ad783bdb610416fbf24f4c6d44f33a41

SHA1
686b1f60bf45ca8321015c5981eb2d5e773b9382

SHA256
74f11c31dff5a94d51fe4ddfa83f8e2275579bf279c30c8334bce9c1895e9853

SHA512
738968074eea33e1d8a0d3836411d406ef45cc7c3528f5e70a87399a6c59f05b29c62e73ab679be29ee8bf48098f710f7e976128fdb969f54291e62ffeaca2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYcU.exe

Filesize
282KB

MD5
de26f3fdace11676101ec115b96b08ef

SHA1
3967005c819749442f9f0045c2427a5af1fca05d

SHA256
84ebe361121f6381f6e7fa48ac9ab7f1d5c7459bb00b89bf1fee6891bd9cb034

SHA512
dddf3d05888434434a361b2b32dc98eda43cadfbe77718641d98ce55c5d94f188fb881473a488a413d824275b01a005f65d5d3038cf94d983e7635ddb68b9b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgcK.exe

Filesize
558KB

MD5
d7c76fb355a50fe01716c7b3c53c8220

SHA1
6fd0480205c8c0a7f269ba1756dda7ac05072af6

SHA256
fec3bbfd097a566d9f1e83f245cf3637c702eee5d0af5adf7fbbfc4d22abed6e

SHA512
c478ce6fd3975fdfd209c08600e4fe68bf75d208f682260ca025ce9aca6475c4f02e85163def3bdd04648aea285ae1c8973a377ba7c791089890ecadc424686d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QscK.exe

Filesize
1.3MB

MD5
6b6c5b710bb0b5d977f92fe6ca57392f

SHA1
b5e33d7baf98a66c78f51e08b8c02b7ebaca8283

SHA256
6c82af9b929ada7b549c8e03b5123ebc5f1f1581621f83c5180c0483e763cc1c

SHA512
490f37af20536fa86b7080fb87d1548ac2dde218e4b0f997ed991bdfa77586cb39a1b5f337a031f16d5a628b51402f7a2623a7e91c7e8670b59d9fa7d2c51388

Download Submit
C:\Users\Admin\AppData\Local\Temp\RakokYck.bat

Filesize
4B

MD5
5e0058bcd596398b26169aeb334d3800

SHA1
08d9697b5b0b22ada8b8d3bf9be78d9f8beeef2e

SHA256
7e6134842d654631d4de3e9e878710429917139857251ed299ff8041ceb7456b

SHA512
8243e271c091cb224196fea8627f6601432d1e767765e5285cfef79e13500a01024095a2ad163a8360b524571a5f57be673d2678e6581630c49ebed2e0e0e1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMYk.exe

Filesize
360KB

MD5
75c3b58b6c117553ec841180aca64e29

SHA1
1f8d1d98f7ef0ad385ed76c4817e2f78e3480fec

SHA256
8b22b7383265d1ae7973d37c87517442964bc063bced4aacc249f0995323d8ee

SHA512
5a3dbd5d111373f62e0583fe73c65f34899b58ee3a25482a32406953f18ae8c46a3c42e0b8060afa0a5b71b3a1ed38610fb1bf1b552d7746597463d5d7a45e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwQE.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCYk.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEgC.exe

Filesize
404KB

MD5
d75d9cc603aa00b91ed89b4e29869f7c

SHA1
27bf77b1d61915f2455803c8c33710ebb34a5ebb

SHA256
62461f138d66a455f252ba23d27146ac5cf791a4176a8f3b9ff66064b4a3cc7a

SHA512
cb4860015af2d07c5767197cd0a17f79329805ab4a4b44bc7b41d1880c6bf625c923a14239685ae8c7140c7eb83478a73840be6e2d3d26b3dc82759db9c2b70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEYQMIYg.bat

Filesize
4B

MD5
2c332ef77fc3935953b6258176c82b4d

SHA1
f1f749d4b12860d78714530f11d7a0c0eca364fc

SHA256
39918a01d3596f3a3ef8909b343e02ff96550fd364b6fee0c084351b2b8471f7

SHA512
2fb7d02dd69f3c7de4cae8a7577f267edd268b9846db298f5b703ace6dda61d2247c0b4f4e4c369df20a71152202e17fe7f92c5110ba968e04c724bdc90add24

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMUcEEcM.bat

Filesize
4B

MD5
1d628fdf9bde0eec3fda4898b8c00ad1

SHA1
deb931bd632326c03bf5194e265a8a2b172d3dd5

SHA256
9d20c8c563e70b12c274f17dd758578de928ab673161634453e845b071d8ccc5

SHA512
05b8f6d9d913e42dc975981afcf976b4ca7bdf011cf23b38e9dd476eb217429745391052a590859e43d906cb3b2113299995a695b6cc05f8ff46b606e03bad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMgS.exe

Filesize
516KB

MD5
59da1a713742c7a6cb9d8f8274b3e36f

SHA1
96ded1389ff38bfcb43c5f4ca22865e0e5a0fc2d

SHA256
eabe1f64fb37693c1e1f99030f4ae70868855f4db7e65bf774ee2dc413f212c9

SHA512
9ee7978a20dbe776642d3159453058d3663d0e1308d3878f117c69007c1350bf24b6bd2bed1571b1bf745eb2cb4f258e356a9bb8ebf295a4e2c4d233b6723eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQwk.exe

Filesize
369KB

MD5
fbc5c3cd7cff90b17e160034e039d89f

SHA1
8af2950c61fbc0cb653dfd008bbe25166b99785d

SHA256
10725c5a1af252438ec1f6793c6a8a32a70258fd334d30e39fec157d80fef362

SHA512
3b0b36a578acf5c1afe90925fc69ccb19ecc96bcd8f804ca99f58f99dbfa5881bc34ab16be597b2df0bef16a601dff2e35feba239884809da80b377a7fd7fd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsUcogQE.bat

Filesize
4B

MD5
0b3112c251aab0f2b022b0ec79db232f

SHA1
afcc182eff1904a9d93723589c24f0981fb6f994

SHA256
78c70cf9764f680180c537e3c64bfc48f5fc88bbbcae8b4c517c68daeea3e829

SHA512
6f7340bd18ea07f73131e66ba211c3f73fae5fc3121ff0bb55d44fcee598bf3cfd18c2322c6656a0490f48bed9db27c053f0a1b5fb009af2fb7e8a1dbdfd7c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZukokUwY.bat

Filesize
4B

MD5
8451b0fdfb4ca1ceb029caade735e1f6

SHA1
515605577664ef2c275590c4712303d253f2e334

SHA256
01304c19d63cd5db8f8a5263fb24da661c7b02ea951bddef4f39a0db8d012c0a

SHA512
2ca0729c779b9563b35b6363f01216504965227096bf1131d5754324781012c205a5bae3b71eb420f3dbc67dfc9703180734360736fcfdfb4c8d49028916fcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acEMAEAQ.bat

Filesize
4B

MD5
f5f5bfa8a0707adeff979011160cba7c

SHA1
beececf4d889cffbed7b0f149caab92f6459e640

SHA256
f79cb3014e63e33efa886f4bb6e43af4f5f6333a90fb9c21524339a799e2c0d5

SHA512
686e7a90bc3292c83084b98c5887f34bbfd5b1713b0effd66b83342fc7d7de3066a8126f558113e633829982b0e540a1c4fb12c30b8b276a8ab318ffafad2fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYa.exe

Filesize
483KB

MD5
a6aac2ae3ec3a455954f39a2bd4fc6da

SHA1
c8142bf0cb26fb45280d327ea73e7c17d5d5d7bd

SHA256
aa8f35f3848a6c822d2042e1ea39642f7242e0f1f7e79975275e3312595fc5e6

SHA512
6e50cbae254594543e1c5acf2bd4734c9bdd361c403327a7202b00bbba748fb2a96283ab5061554354c261656aefc9f467cdbd4e11e42e5c28d6be389c8c1007

Download Submit
C:\Users\Admin\AppData\Local\Temp\akUEMsok.bat

Filesize
4B

MD5
099bf5069f0d961d126c8217c5419f44

SHA1
0cb4459f71f500368197ff2728ba6402a3f4a835

SHA256
287d43ac937d0817815e5ada40fdf79dbf23e8aeb0302b4fc0d4e319c82ea79d

SHA512
809c26eea82c1209819a4f595c2d968daf9a231319cba8ea3cce1f83dc11f2e5c29ad2efd934c7928a306ac20d6e1ecfbc8d77bbd6a2164b6648a9a3e9282577

Download Submit
C:\Users\Admin\AppData\Local\Temp\asoc.exe

Filesize
282KB

MD5
b6604a116ab0730b08235009196431e1

SHA1
56fdfb4d992a44d0a59ccbc3395a38c8060d8159

SHA256
9b366cfb8e2ee7810651c81723ab993d2405973f0b03c7f2d6ec85a96e8e0717

SHA512
5145cec868bd8c88215743080d8e40f8f946ceda14dccc3e3014c6071dcfeb305bed1e85b5b1f7c8ed2b45bf33e7f948ddd17d83ac79ce06b3cda60fbf3ca7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwoM.exe

Filesize
197KB

MD5
8dadb1bebcb228a06c048d232c496eab

SHA1
4924f2dce6cfb164d143c062b745e083bd468d8a

SHA256
507ccf7bd81942701806ec031a6b93ce37bac3bca59635d19e9a923bd09fe0ab

SHA512
e2778da206ddb81086e380fa01a4f0bc4fdbbe87ca96e510f3ebde06938199b5bda8570cc45a9048c88f4d6c98f08c88c96a759562c30080b97272b0c08176f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmAkEcQs.bat

Filesize
4B

MD5
45f56a576b130cec233b811992bbb057

SHA1
6b9ebe754cee2ae5c51a7c3e07acc9f579ba577c

SHA256
290fd1fa3b5e645f7465d9bfaf8e8f4a1a79ac760c5f481b0613067a6375e917

SHA512
802f37d37f5c9a8ecbd570e29c83c7440228f7f50aa8093b8fdbd1822a421f3bb09d7b765a9c4807f4016e1a94879ba19c5d31f3341a38c85a72b16e76bd8ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQII.exe

Filesize
906KB

MD5
866cbbd7bf74770f1024f338560d2785

SHA1
c748cad9a2d81db21f19ebca53fc33ceeffd8d29

SHA256
12bdaec18ab230793f657f29017bdedb78ecfa160910605e4c653aa54965e03d

SHA512
689c0ffbffca04a16764ceed0189a33b770c78683026e44d332cf57d7cc2fb2181c55c7c77b1d8c563f5817e76647ac19dd41b857df8c1c3bf843e16e8475be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\egkU.exe

Filesize
458KB

MD5
caa54ccffb39d1db5811addb556e472f

SHA1
041f4f85387dc7b5927f9514c1a93b76fbee1da8

SHA256
161c3313f525118532a89e3d32b7475dac21dec0406264c1ed2b01e0aa2b528f

SHA512
61a41e7685c76f4fa9db46662b375c2ea229efe1dd48688287fdfeb88ba95ebab5fe480c818c61f9013f3e034d645a7f44bb410fe746f0ffbef895f98108602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eucIwAEU.bat

Filesize
4B

MD5
23d17d843ea0188a501de861e1b0de7f

SHA1
4cfc3ec24fdd22d27a7f92b6446506a2baa67709

SHA256
4ab12ae0be8dfa12dbd4a7a54e3e965ca664e2f31ab59cbaad436a06648554c3

SHA512
67d5ecb3e46174e6f7f3b2c2b427324f9eab871b8f0060393eb4276b97458667a61355ae41e93307261d41fd33a2b41c84eaccb3702336d18467dd3445c1d90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGQcYcEo.bat

Filesize
4B

MD5
09476ac63dc8bf9fddc764cfb3b379a9

SHA1
098a34554f040e73a9ae3bff210034d9ed70ea1f

SHA256
cd3de6a57825d2e5c5dd6908938ea183f9496b849ce76ae8dcfa6111ea296f61

SHA512
aa0c26a0ddfe62bb7cf906495906464b90658cc1c98c46fdf9dfac12ba9371d9dd4f7812b7dfa203442ded125fdbccccb92fa4e5fec296f67dbe229291089da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcMYoYMY.bat

Filesize
4B

MD5
660007ba2d79e6e786fbde24f2bcde63

SHA1
f833f402ddfe4252993160037125a0ba502d6d22

SHA256
7c020037bc1e800d60a88efa8acaf371ec4555b2e99cc09b026d740009ae8eb9

SHA512
a6b3c290fc55e83d03ea826f5c298b4d3cb3d1f99ab879680f56548b7d8b46ac81c5e4996511b51ae30c62e0da06f12df0c329a03d5488edfbe6ff049d7781d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEMM.exe

Filesize
483KB

MD5
f8292c01b9d5b70d3610dc4775d72763

SHA1
84b0c65ff626df7a58c3b6485aca41f6288bbd92

SHA256
92fcdbfceb3078882024e9b76594d46788c651856ce1e6f50527019b11cf56aa

SHA512
e3fa0b5976d761c7848d28e20c5b3c3211cc35bcae36cf43dd3a689770f2641b1f6388a4f021c374c36fd8fc9d80203d6bae85fdb41843b8f5b7d704ae2c6484

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMI.exe

Filesize
468KB

MD5
66f12aa15146fd2e246b44bf380b8602

SHA1
b5b354d70a005ca132b7b2cdd5e203d03f31fb9e

SHA256
2ed59d550b98a271bbe9309d7a6f00394e1abd02ccf4777da1d7b0f888219120

SHA512
ca8f34a96a8f03bafd88e9505533c412906b986f975888b2cc9f4a63d2909267afc591a70aae6a6e2978585d3af12cc8e0f1ef4573209d79781495ccd8e44cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwsW.exe

Filesize
478KB

MD5
50dda7f7c650c9b474900aaa9cd3dad6

SHA1
f267ca8768efe461457bf59f0a340a8cbddb24b8

SHA256
66f597e1e7df65c2ef2ceb7c121a597137fc5b129aac6e466896f28a55ac0e45

SHA512
531cd5fff7c17c2441d01d865e9bb24b2e84e1b251c809a413b18e4486555292941932bc82ad1cf34aae6af42b34430baea1c93a656770a6cdd7add1bde4a443

Download Submit
C:\Users\Admin\AppData\Local\Temp\hCcEoMgk.bat

Filesize
4B

MD5
fd04a72ed9a432948c4468651971a20e

SHA1
57ff13397ebed8346133e3bdec3aba05bfcfeadd

SHA256
3a1b9f82034704b9afa3aef9e1bf2e08fbda3a61b9cb24702068b824e16f7dbf

SHA512
2e717a65e95975596bcb57a3bb47626b87ae93b405d946cb950551b5c3ed3cad7fd69c190aa59dd6fe197e8e1d63708f6b719a556287f11f1965bb0df439770b

Download Submit
C:\Users\Admin\AppData\Local\Temp\imAIEkss.bat

Filesize
4B

MD5
cb2a3abce342176db71c944c6f604d20

SHA1
df0bb736b0c721bcb583c6f0e1eeba97092fe89f

SHA256
5c640278cf49ee0ae8623054288471f1d4a3404a0edff117c2d97eec6ab37177

SHA512
6e88cdacd0f4b55fc025eac7218671fb0400e14b6a348920437bd19dce1c222fb63d71d3eafd08422593b181b88254259e0122f2d0f4e4876aacb9a0ca1e63ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwsm.exe

Filesize
475KB

MD5
e16142d5ec3fab8d4fc03f95b8b21043

SHA1
5ec149e0d272a76e93ae1be127936232abb01155

SHA256
0af5bf8228fc1bfa1cad48b49fec919cf567ef041409d84735eadc0ee919be50

SHA512
d078c97750f3a1d1fb9028915f76f185aa71e89083596c50c4b9397fc821b429492d55c3a76bf42b3820dc3c2548ada5f695d9d8081750963acf8a31df9a2a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkgy.exe

Filesize
462KB

MD5
27517815462fa89cd4a3cee5001d6aee

SHA1
90471f32a1928fa76af65aeabe7db44f920ab9ff

SHA256
629a3f2ecd6e69974e5e42dcdce994a58a8ced6c2bf7d43a6ae4dc1b0826a623

SHA512
6a077b93e84be90bc2a673cea53200d4c649cb13a08793476054c10a83bdbfc984075fbe6f52647426353caa2b12764fedda28519136b4f05a73c8ec693fc62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYkAksoA.bat

Filesize
4B

MD5
5433325b7372730bb38dc036b62b598d

SHA1
010c67be1dc64ca63a1adb90d883d3fc026f4084

SHA256
fc53aa774de5ac2a174fe3c9b175f006fbcdfd6ffec546d99e254ea48c193342

SHA512
b9b2942e1bbf374cffb375201b48d676e0fc5a1ae15dabbc332fa6059fefeabaa0bbeb883367f2cbe2f06117fcb1311add043885f3fb42c736c8cb9b3888880a

Download Submit
C:\Users\Admin\AppData\Local\Temp\loQEEsIE.bat

Filesize
4B

MD5
0bce233edaa56affb9baac57b76d50a9

SHA1
3fdc9e61d2193e6737a72f360f9017752455e2ea

SHA256
d82c5e639be3ae6bf96e15cfe0b3926a825b9f569c0f367330752645389a0916

SHA512
0e2411d00e42bad28ff01d700d3143e0fc84465907b1efb349dcf3199e1e9a1659d419d4befe35d2640ec2d742940f277d576aca609d01366324d246a9c901be

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYAc.exe

Filesize
478KB

MD5
5db2fa0b69f6266a645aee7e69abc702

SHA1
766653d101e5ca65053be803192805f160ee3f5a

SHA256
cf3e221fd8c2a4290068f8d1d67782f9301f467458368bbb303f2a0ee7db36aa

SHA512
c1c4f094819ceb844ade449907bbe5f3bdcb74c95fb64639a444e62222c46af097be8bb6c09a831d21e364dc683335b87ab9dcd2e349d97d806b78dd766cb303

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYYo.exe

Filesize
453KB

MD5
66da3c967b0e8a0220dfc701d4023ce2

SHA1
34c70a2285fb6780dc51448c5963ef02445915da

SHA256
8a683f95580dd772e22e25f02f5973a7b175c3c435387364d39836e6d41fe3e0

SHA512
d9867552173bdb315ab3161c8d0d2787c5391e1cfcb09da67ef9e2c0ecbf8134db040563cbb65f147516ed16ca6068e6b420030e0326c8fb990bac1367971f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwsu.exe

Filesize
1.3MB

MD5
ee62427edf87e9590835bf47be97b995

SHA1
1e8c09f19ae4d550ea8b234d328f13e9ae65bac7

SHA256
3f916340cf99eacc59ea1b15c6f29997665d542359b8ec28a714cbe105ace296

SHA512
eef58925cc488da31e1a2f043b73c6adbeeab1acc24dab64ab5cf67ac67a41d906223057e6eb2ca4d1ced8807f40db542684ea82ba44b98436195139c22d1602

Download Submit
C:\Users\Admin\AppData\Local\Temp\oacggoYA.bat

Filesize
4B

MD5
04f29ba7ab8f4e109170f732fb1ab82f

SHA1
abefd63da7dc9ce380fb2f1cc74f3caf393c34ee

SHA256
5cebe785abe75b2288ef02d59eec950d6b29210a0276c3da21d273b37ba86d99

SHA512
87213c4477d9d3a32f497dff076ff78e75f0461832946244bd9ec6c81bada8df0985de4f8d2bdea1ec46c4872abe7a8538f4aba67641b127f19d62d9ce2cadf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMM.exe

Filesize
396KB

MD5
e408fd7e74b6f91bff6fc1f50e9cf1ab

SHA1
2ec8d2b2036047287a3e86070e99cca5a702ea46

SHA256
e3ce3ea53b0ad5c5129c6a9910d76d0742f1faa3bcc3ed9460ca9a048b6675b4

SHA512
9ad865afde89789b6f89c33db0849cfd9ccac5b1cc5b2a3f4090d1dde1217bedc1ab602f896f3802817046c852dc3c27d5ec379e759750fa95c256047e034ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouYQIEUg.bat

Filesize
4B

MD5
94640ca6da581b3452abf147227be8a0

SHA1
b110d05b49f387755e4bc3085516e30cdde77195

SHA256
590212f6fa6ac215b8c2699b3981064a7a780ee7018ce8a236deec46b2909539

SHA512
bb27d5ad8c19a43731d930adea59853bdc2c4b114657ce3eb4e91bef847f67e3e12480285d44fd5fc7a436e443e5853ade200ef1c349aa6d791d2dfa0c5f233c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIoAwcQY.bat

Filesize
4B

MD5
32ec25d8a29747cafe00c1630f34ec93

SHA1
b6c51f01067773688386f9ca54686f608e396416

SHA256
f4b0a28bc8a86f16ae1b3d2594f67b3353d1af4357dad2f559491f0d75f42bfa

SHA512
b6788d1b40077cf600669c388598a878e1c43ea10ce7e0507e487378beb3adbaf51302f2b9f7733a837c5a7beda7402ccd372be5d76e13d8959569f68a0560c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOEYMcUw.bat

Filesize
4B

MD5
4137e216a3c8a792b287192b0b97e1dd

SHA1
01a3a4e54b45b305040e2886a4d15ecf11e9f191

SHA256
acfbe5e3639b8111bd1b2405ce3b046ff43716807753903d444526ea231641ed

SHA512
803d9ca53a1a4ff48889dc404bd798b050cb20a15647e56cdce02663baba1368e30ebb8b9394591d2b0f73587866892affcb9ebcc0d863c55bbb11a57cadd498

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUka.exe

Filesize
460KB

MD5
84bac923988abfadb804cbdd8a5f1534

SHA1
6942f196c5317fabfaeab6558aad4a0547873415

SHA256
18a63236d8d5da903718e834d9a843cf6ca12238d4e25720124202f8ecffae01

SHA512
5e73e89afe82df6494b511b67f1d17103c4e2029ea37646cfdecabb37581bd6bf80df2ebee7742109143d9a6aba124b83d0816285f59adf428f5102fcf21f6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwMsEkQM.bat

Filesize
4B

MD5
135effca3b79b77dabeecfee1e3aca65

SHA1
82621a969c81ac70e9e9ab5db8e7d6fc0e091809

SHA256
aa4ba74885577777cf3eb77ed0ffcfbe71a0a74877130d5a14c1a1228f4a0d0b

SHA512
dfc9a527173f7b412290760a689bfd97dc7a47185b7ebd252add2558f5c4706bcccf63d1dcc5c0f132313df62fb37fa98ff229b617e5e4afc940bba7798c8ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUcs.exe

Filesize
483KB

MD5
70e01ee97b2ffc0e0a597212976c3ccc

SHA1
6079f336e3766e98ca7607be6efe152320b77f53

SHA256
37367a12944e7bdae03e77c3a1254da35d67b9d8be4f581e2130437c285d82d2

SHA512
7cb7267dc13ee6508add538fefc060f4fa86b3ac1e936ea1a6e2dfd4611310c0b6e5fabadcf79ec3fdf54a4a611ceecc1d1a2d18c32249fc60731dd9890fb56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sikEQYYY.bat

Filesize
4B

MD5
82399ce28a6b957c9bf0cf1593b04151

SHA1
9d23312a536e3c0a97a402b37e09760f347e5c61

SHA256
0e063017a5523c59385bb8251bf4ca3e77dce94794b2faa0a8bc4afa8320a7c3

SHA512
aff1f806ccabf007f71c659e2a70a2e287ef529a108ec2def6f6a39ac67f47148737c84c8fc1f2eb6b44222c8aee9a8d507c9b62dae1764b7a0a144a847d4a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgMsgAcs.bat

Filesize
4B

MD5
b2d9179a57f2b483abbbeae5e8f8e979

SHA1
e10f56ab695a3d326dce6e1b8e0183339948a907

SHA256
7d05b05c4c0ee74c344aa5e7eaf30cf58831deccda999a23af619901a668f9f1

SHA512
310949418cc7631ba5df5ed243af53d17bd7c8a1062f9750724285ad6325950bd6de1cb5fbf2d334808ad5e414ea730c0331394cdb2e8512fe5a906ac10198a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMUQEEEk.bat

Filesize
4B

MD5
b9e7388d77d97c2b079da5557a194ebb

SHA1
5dd856b3bff19e4e779f551452fb893a09e30e08

SHA256
32b1e4bf0f96b9e15b5c5787d1ffa0abc1d3b9748a9d001fa3ca3c9a8974e2c3

SHA512
38fb49bb1986c65f8e039bf8478365a9678ae5c25ac42775bc5df3e06a4f00da4bddcd040da53ada3f15548e334cb3097960e94126d8be3edec4848b48b1d9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwS.exe

Filesize
471KB

MD5
63afc8178d50f13baa8ffcfdcacdf8c7

SHA1
ad4a18b4d496da2400ed9e5f7426bed8959a7d6f

SHA256
a7277b9f3f09eae70b356be8ac596048f9972c1b3c69e9156bed6555ff13f16b

SHA512
ca3b7c516f39abb08d92dec794e6bbcc1f274dd371fc152f1fb2624559324371f70e42c32da0293985e930fcd18a84212a3f9828a707db21c9920efb7e2ae4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucoM.exe

Filesize
429KB

MD5
e866dbb9b0fa2c5973a427efe3b63f12

SHA1
8bd95e08034b8558bf96e17d6908abb0aaa5cbe1

SHA256
72fc8bc1141367b1aa4faaa049587c25f1498aeae2457c93485ff15ae2472ce7

SHA512
b2c54b12e68e75ba6623da0b4da5426e8cb5051f63167582fa161966e312af462ec8816b365e4c1ec4b6182240c0f5a52974b0ee7df7a43710f8cac15af5beaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukQa.exe

Filesize
473KB

MD5
c0964c5a9faf2f2c043e15005117ea8d

SHA1
8d02861d96b96cee354108b6cbce48d23698310c

SHA256
4d361cd7e144a98fed2ed6d3300546bb0a689a9cbf2ce6f6f6e25be1d738f1bf

SHA512
e325c05b50f3d212dad19f6c22ba49d498af6dacaf57a1795f0239aeb457d61558532e5c8be20425230625d8f535c576d1687cd9530e2fa9430e1ea3dd2877e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUwc.exe

Filesize
482KB

MD5
96306ef48e50ea7b53297bbe877f8008

SHA1
d37d912fe3527730212274ddf3cd96bd42076b86

SHA256
f912ea78e34c2dcb159645d5087163e38c140eef7642fd5d2079c3195f4a0694

SHA512
f7f5e2095947e5cfd365ae19838fb143664c66cdd926c2f879d2b527e5aac431a356c96b57865a697f7dd492e466415cec7c586e9a348f3b42482f94c82c534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYwy.exe

Filesize
158KB

MD5
94dfee21b858a8d28f0d9f1ad2302da4

SHA1
58fed03a4aebe55db63f5db7369f8da2977ab8fa

SHA256
e0029c7d2b46ba0ee8b2f11c8f48ac1586d71514eebc7305180b22bf16c68746

SHA512
da9a290e25ef1489946518c1d957c7201c46fc84f799c079ea0579ff203ad7b6ca5bec1606492d60a28c994614861173c595951f2c93ea47e7e0482f95a05043

Download Submit
C:\Users\Admin\AppData\Local\Temp\wegIMYgk.bat

Filesize
4B

MD5
0327bc5d1194cbd6b925685dd63ebbda

SHA1
2548fdfc99a107af5a9da6f2cb0b6289268293b3

SHA256
4d0efe63dcd667921759e4eba7eb1bcd2aabe0ee91d25e4861ba507c29bb33b3

SHA512
fd31da5a2458174d3ce2af17dd139669170a41011a00300b95f803e197c03acd80a342dd752c4786db4c7af6cb48fa6a80855412ea19355cd24911feb236b788

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqYUsoAA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygoe.exe

Filesize
92KB

MD5
20789c14bb656260494106b5ab7023a7

SHA1
fa2c1d82964c46af9aec36a458ec104e8ed97c81

SHA256
dacab7b51f7859f5b0633d46d4e36c6f331e69a7c4b7c19651db0f9db2ab898d

SHA512
2f253f0b98db20cef25a942ba774ac21d42831c651a5ee6c078e29753f8a46205b8978a7215b1998662916736aac44695a45a6302b6c5909f57f753d5f02a379

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOEIwoAQ.bat

Filesize
4B

MD5
990007756f2a7d5fd118a051b44ac302

SHA1
7d3ece87b5a2224e73f442c56d0f46f4e1e190e4

SHA256
345f26dc7cadf2c95aca957f97e80ef6ef1cf542a114fef0dcd0e39e4ee8073f

SHA512
3c64986856d84b770b54a4be7ffa63b2899200c450fa3a16cbbfc0f80b693b6398de11a987c28e802385ccf65165a4b7dc60ca0c0a79a4331dd64469ccdfa026

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqUIMUoY.bat

Filesize
4B

MD5
c38480d5a0366208044e19f2ad33c0d4

SHA1
86412c0cb46884cce22725d82677b4a0ae3c8b04

SHA256
d9171f3df763dd091812ba7e64783f61761666024df2a47af6b0dc189158e06c

SHA512
4a99b4f4ed78295df22044b2b309a328d374aed396eb35119ae51575a8d2b1aa85007191d29fb03d6f51f3d060fa94a8f393621301d5fc588eff56374629b700

Download Submit
C:\Users\Admin\Downloads\DisableShow.pdf.exe

Filesize
788KB

MD5
84d3a078f93e747acf6a5f049847ed0a

SHA1
b6cf89fac47207b89e85589c05d508aba0afa9d0

SHA256
20ea0c9e43308ef03d6ec718fd56a6a5c4817c26fee75d89b30904ad0ad4f39b

SHA512
039096705b3fcf40437575db74c213d11ee77f78ba8bd0bb85077d2271b603ebc9f461328b463eaf848b6115eec8a6e501149f9a8ee0b53c8b4d505ed7d777bb

Download Submit
C:\Users\Admin\Downloads\ExportSend.xlsm.exe

Filesize
1.0MB

MD5
01c7b6130508a521ae63b841a47b9cb2

SHA1
4b8b32ecb3a2645fb33cb53000d3724a6ab1bf43

SHA256
4b6d9a9fcdff499d1e5ee6232efac07801c5a698f56efab51db5034d7ba7d37f

SHA512
bf350dc31a6d58155a1fd69106a8cdb0d34f700a190f91db561fa2469ca4f95568c5c5ffaa20418cbb0e8f5b2ad9dd4c4261617a422416bae92066bf2967bffd

Download Submit
C:\Users\Admin\fWIsowwk\cAYggEUU.exe

Filesize
216KB

MD5
f34237e523df3c05b5a968b381d4f532

SHA1
d5d2b791d55305a4a1bb2ce871c16a720b1504a3

SHA256
11abd508d9273714bb7b8a942fd1d28eb24d658d1990a69fd26fd3a5fe991672

SHA512
19a837d253e6430c03e5c2a3788526ea2079c821b7b459600186d15922616b997c38cdbab7fc6ea2250f5085a85659b70c5c2c34f67c75688fffd4186554b91d

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

Filesize
74KB

MD5
0c460df51fba46bb2c04d698a776a4dc

SHA1
c8f75a6ed1052f2172669981cab388782414d460

SHA256
924131afdea4ae624d3c5e375b42b356f97eb2315e30155a121761fe3341965c

SHA512
21897b7f43c65af2318f5192ffd7843410ad17fc3abd7dbc2bef68668395b5093b29a05b04adb975684e822be54b7699b8054ffdd7fdbf91c6c923b6a603b0b9

Download Submit
\Users\Admin\fWIsowwk\cAYggEUU.exe

Filesize
434KB

MD5
5c854d81c0bd3b3983378f68944ba9d5

SHA1
6c6f48f7ce96ce508d8f3850301643cd64cd49d8

SHA256
0165856a4e4a602294c8a6389bae365ce4a7e2cb5e7b8f1a54a4dd1e4b2184be

SHA512
c371a0a3d13ecb9d9e73f218c3f2070a56e86793bff908dc668a6359045e3a725609d74c2af51a8c3ce6f362448ddf96564b971b40cf61e6edb07072d5e92621

Download Submit
memory/324-459-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/324-431-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/636-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/636-236-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/776-213-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/776-246-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/816-326-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/816-358-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/900-336-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/900-304-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/944-97-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/944-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1152-478-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1152-450-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1176-564-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1176-592-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1180-573-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1180-545-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1476-166-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1476-155-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1476-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1488-583-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1488-611-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1652-381-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1652-349-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1660-421-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1660-393-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1684-174-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1684-132-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1732-554-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1732-526-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2068-440-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2068-412-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2176-602-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2240-268-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2240-235-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2240-119-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2240-88-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2352-497-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2352-469-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2428-110-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2428-142-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2464-535-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2464-507-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2488-199-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2488-157-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2588-281-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2588-313-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2652-402-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2652-371-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2672-33-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2672-53-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2760-190-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2760-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2760-222-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2760-44-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2884-156-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2884-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2896-291-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2896-259-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2996-212-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2996-22-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3020-488-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3020-516-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download